Gmail’s Two Factor Authentication
Filed under: Security
Google recently implemented a new "two factor" authentication option for their gmail application. Two Factor authentication adds another layer of security by requiring an additional verification after you enter your valid username and password combination. This makes it more difficult for a malicious user that may have stolen your password to actually access ...
Call for Education or Need for Better Applications?
Filed under: Security
The fallout from the recent VA issue http://www.nextgov.com/nextgov/ng_20101222_6852.php has made me think about one issue around software security. Is it a lack of security education or out-dated applications that lead to some of these breaches. In this example, the users apparently wanted to be able to share their calendar among multiple employees. ...
SDL Regex Fuzzer
Filed under: Development, Security
Updated 11/2/2010 Microsoft has released a new "Free" tool called the SDL Regex Fuzzer. You can download the tool from Microsoft's Download Center here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8737519c-52d3-4291-9034-caa71855451f. The Regex Fuzzer is used to test regular expressions to see if they are vulnerable to Denial of Service Attacks (ReDoS). A Regular expression denial of ...
Firesheep: A Repudiation Issue
Filed under: Security
I recently posted on some of the hype surrounding the new Firesheep FireFox extension. Today, ComputerWorld (http://www.computerworld.com/s/article/9194159/Is_it_legal_to_use_Firesheep_at_Starbucks_) had an article discussing the legal issues around the use of the tool. I believe the legal aspect is important, but could be very difficult to prove. I am more interested in the implications ...
Firesheep: What’s the hype?
Filed under: Security
Recently, a new FireFox extension was released called FireSheep. If you haven't heard about it yet, I am sure you will soon. If you are interested in it, a quick google search will pull up many details. There has been a lot of blogs and other articles written about this new ...
Cyber Patriot III
I recently volunteered to help mentor the local Civil Air Patrol cadets in the Cyber Patriot III event. The goal of the event is to get the cadets interested in cyber defense by having them secure different systems. This scenario is defensive only. The cadets receive a virtual image that contains a vulnerable operating system ...
Adobe RoboHelp XSS
Filed under: Security
Adobe announce yesterday that they have made available 2 updates for the Adobe RoboHelp product. There were multiple cross site scripting (XSS) and content spoofing vulnerabilities that were patched. Adobe has details about the update and the patch available at: http://www.adobe.com/support/security/bulletins/apsb10-23.html. It is recommended to update your RoboHelp installations and re-deploy ...
SQL Injection: Common Mistake
Filed under: Security
One of the most common suggestions for remediating SQL Injection vulnerabilities is to use stored procedures. Using stored procedures can help decrease the risk of SQL Injection, but if implemented incorrectly, it can create a false sense of security. For example, look at the created stored procedure below: CREATE PROCEDURE dbo.usp_IsValidUser ( @UserName ...
Frame Busting
An often overlooked security feature for a web application is to not allow the application (especially the login screen) to be embedded in a frame. This is often referred to “frame bustingâ€. In some browsers, it is possible to capture the keystrokes in one frame, from the parent window. This would be a problem with ...
Microsoft SDL Version 5 Released
Filed under: Development, Security
The latest update to Microsoft's Security Development Lifecycle (SDL) was released on March 31, 2010. You can download the Microsoft SDL V. 5 from here. This version has many updates around agile SDL practices. Building a secure SDLC is a priority concern for many development organizations today. Microsoft ...
Follow Us
