Security

In the beginning, there was the web and you accessed it though the browser and all was good. Stuff didn’t download until you clicked on something; you expected cookies to be tracking you and you always knew if HTTPS was being used. In general, the casual observer had a pretty good idea of what was going on between the client and the server. Not so in the mobile app world of today. These days, there’s this great big fat abstraction layer on top of everything that keeps you pretty well disconnect...

This is an online reproduction of the letter sent to First State Super today. I was disturbed to read about First State Super’s response to the ethical disclosure of a serious vulnerability in your financial software by Patrick Webster last month. As a fellow Australian software security professional, I’m worried by the dangerous precedent that this sets. As you’d be aware by now, this incident has gained worldwide attention and as you’d also be aware, the public response hasn’t exactly been i...

I just had a call from a very nice women who appeared to be from the subcontinent and wanted to help me remove viruses from my computer. Normally I’d dispense of such callers in a pretty quick, ruthless fashion but given the nature of this one I thought it was worth recording and sharing. It all unravels and the gig is finally up at the 23 minute mark. Enjoy! TL;DR: Here are the steps they wanted followed: 1. Open the event viewer then establish there are errors and warnings (there as v...

Consider this guidance now deprecated! The membership provider stored passwords as a salted SHA1 hash which is insufficient by today's standards and easily cracked [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html]. Refer instead to ASP.NET identity [http://www.asp.net/identity] which is a sufficient stronger and more modern implementation. -------------------------------------------------------------------------------- Often times I’ll have a discussion with a softwa...

Last week I wrote about Gootkit’s futile attack on ASafaWeb [https://www.troyhunt.com/2011/09/gootkits-futile-attack-on-asafaweb.html] and then a funny thing happened: Suddenly my Google Analytics keyword results become very Gootkit-centric: I see this as meaning either there is a lot of interest in Gootkit at the moment or there is not a lot of information available on what it is. Or both. Interestingly though, the activity appears to have ramped up right about the time of my initial post. T...

On Saturday morning I woke up to 120 emails from ASafaWeb [https://www.troyhunt.com/2011/09/building-safer-web-with-asafaweb.html], not because it really likes me but because it was in pain! One thing I did very early on with the project was to implement elmah [http://code.google.com/p/elmah/] and make sure I get an email notification when anything happens that shouldn’t. It won’t stay this way (for reasons you’re about to see), but it’s a good way of keeping an eye anything that goes wrong very...

When news came through recently about the Bondi Westfield shopping centre’s new “Find my car” feature, the security and privacy implications almost jumped off the page: “Wait – so you mean all I do is enter a number plate – any number plate – and I get back all this info about other cars parked in the centre? Whoa.” If that statement sounds a bit liberal, read on and you’ll see just how much information Westfield is intentionally disclosing to the public. Intended use Let’s begin with how the...

In case it’s not already pretty obvious by now, there are a bunch of websites out there which have some rather glaringly large vulnerabilities in them. Or at least they did have, then they were hacked in spectacular fashion and security suddenly became important to them. But of course we only hear about the big ones whilst hoards of smaller attacks go by unreported and very often, unnoticed. The thing about web app security is that it can be a complex subject. It’s pretty fair to say that it’s...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables [http://xkcd.com/327/] remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world). Last week’s password strength comic [http://xkcd.com/936/] was no exception; very funny st...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] As we begin to look at the final few entries in the Top 10, we’re getting into the less prevalent web application security risks, but in no way does that diminish the potential impact that can be had. In fact what makes this particular risk so dangerous is that not only can it be used to very, very...