The Archives

SEARCH

I’m Attending

CodeMash

Tag Archives: security

Time to Secure Your Cookies

Posted in: Programming by Steve on October 25, 2010

So I came across this article: http://codebutler.com/firesheep.

Wow, time to secure your sites.

Autotest in Ruby

Posted in: Programming by Steve on September 29, 2010

Getting constant feedback on the health of your system is always a great thing.  In rails, you can install a gem called autotest that can run your tests as you change your application and let you know if you have broken anything.

All you have to do is start a terminal window, and type “autotest”.  That’s it!  You get instant feedback on your tests!

http://ph7spot.com/musings/getting-started-with-autotest

ASP.NET Vunerability Fix Today

Posted in: Programming by Steve on September 28, 2010

Scott Guthrie announced on his blog that a fix from Microsoft will be available for download sometime today, and that the fix will be available through Windows Update in the coming week(s)

http://weblogs.asp.net/scottgu/archive/2010/09/27/asp-net-security-update-shipping-tuesday-sept-28th.aspx

Please make sure to update your servers.

Update (3:00 PM)

Scott Guthrie has a post on all the fixes: http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

Home Security

Posted in: Home by Steve on September 22, 2010

A house near us was broken into last week.  It was during the middle of the day and they took a lot of the valuables from the house.  My wife and I are now on the lookout to make sure that we always have our house locked up and that we’re watching for shady people in our neighborhood.

I saw this comic from Ctrl-Alt-Del and LOL’d

http://www.cad-comic.com/cad/20100920/

ASP.NET Vunerability In Action

Posted in: Programming by Steve on September 20, 2010

Watch how easy it is for a hacker to use a script to get your machine keys, then exploit to get a file uploaded using DotNetNuke to execute on the server.

Scary stuff

See Scott Guthrie’s post on how fix your site.

ASP.NET Security Vunerability Fix

Posted in: Programming by Steve on September 19, 2010

In my previous post, ASP.NET Vulnerability, I wrote about an issue in ASP.NET that would allow someone to get information from your 500 errors.  Microsoft has a fix workaround for this issue. They recommend to change your web.config to not allow the “Yellow Screen of Death” and display a friendly message to end users on public servers.  To do this, you have to change the <customErrors> section of your web.config to look like this:

.NET 3.5 SP1 and later

[<location allowOverride="false">
  <system.web>
    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />
  </system.web>
</location>]

Earlier than .NET 3.5 SP1

[<location allowOverride="false">
  <system.web>
    <customErrors mode="On" defaultRedirect="~/error.html" />
  </system.web>
</location>]

Additionally, either create a static error.html page in a location accessible to the end user or a ErrorPage.aspx that is defined in the bulletin from Microsoft.

ASP.NET Vulnerability

Posted in: General by Steve on September 14, 2010

Looks like there’s a AES encryption bug in ASP.NET applications that use Forms Authentication, Membership or Role Providers.

http://securitythroughabsurdity.com/2010/09/vulnerability-in-net-aes-implementation.html

Details will be available on Friday, but this is very disconcerting because even if the person who found this wanted to, he/she would not be able to fix it.  Microsoft has to issue a patch and then test it, then release it (maybe).