tag:blogger.com,1999:blog-9044700336384811772024-11-21T23:30:18.572+01:00Software security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-904470033638481177.post-56384972159453661952015-10-01T17:33:00.000+02:002015-10-01T17:33:21.701+02:00

I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried robocopy, xcopy, and even resorted to a file copy through the file explorer. Robocopy consistently reported the following error though: 2015/10/01 17:10:49 ERROR 5 (0x00000005) Copying File g:\autorun.infAccess is denied. It turned out that the antivirus

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com472tag:blogger.com,1999:blog-904470033638481177.post-83228998325003969822014-04-24T23:51:00.000+02:002014-04-24T23:51:40.489+02:00

Visual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively straightforward and painless, but I hit a speed bump when I ran the first build of NWebsec. The first build was successful, but it didn’t run the unit tests. The build log contained the following warning: No test found. Make sure that installed test discoverers

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com211tag:blogger.com,1999:blog-904470033638481177.post-13830790677223833552013-10-13T15:39:00.000+02:002015-02-16T21:30:35.045+01:00

I guess it was long overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 2008, SSL/TLS comparison posts. They were two of my very first blog posts and they still receive a decent amount of traffic. The world has fortunately moved forward since then, so in this blog post we’ll have a look at the default configuration of recent Windows

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com963tag:blogger.com,1999:blog-904470033638481177.post-84049204271804314392013-09-14T23:50:00.000+02:002013-09-14T23:50:14.089+02:00

Just a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload them by hand through the Azure management portal. Ever so often I get the following error when I create the package in Visual Studio (2012). Unable to remove directory "bin\Release\app.publish\". Access to the path 'AzureStartupTest.Azure.cspkg' is denied.  

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com168tag:blogger.com,1999:blog-904470033638481177.post-22729283937561101132013-07-17T02:50:00.000+02:002013-11-07T22:22:54.242+01:00

OWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see that Broken Authentication and Session Management has moved up to second place, pushing Cross Site Scripting (XSS) down to third place. Apparently authentication and session related issues are moving up in the world! It’s not that surprising, there’s so

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com241tag:blogger.com,1999:blog-904470033638481177.post-41470917700448199522013-06-29T17:50:00.000+02:002013-09-28T15:42:00.747+02:00

Microsoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they provide is the support for custom domains. A couple of months ago, I was looking for a new (preferably free) e-mail service for my personal domain. It turned out Outlook.com had everything I needed! To set up a custom domain, you'll first have to log in to the

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com167tag:blogger.com,1999:blog-904470033638481177.post-10150498317715181522013-03-03T23:46:00.000+01:002013-03-03T23:46:09.533+01:00

The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit scattered over MSDN and MSFT blogs, I figured I'd collect them here for easy reference. The ASP.NET team published a nice article on What's New

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com251tag:blogger.com,1999:blog-904470033638481177.post-43736487304013106992013-01-09T23:07:00.000+01:002013-09-28T17:15:19.504+02:00

Recently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encrypt a custom configuration section. Unfortunately, I quickly ran into trouble and got an error message along the lines of: Encrypting configuration section... An error occurred creating the configuration section handler for myConfigSection: Could not load

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com185tag:blogger.com,1999:blog-904470033638481177.post-24047738489522067552012-09-06T23:31:00.000+02:002015-02-16T21:33:53.507+01:00

Security headers in an HTTP response There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com792tag:blogger.com,1999:blog-904470033638481177.post-61132455973422679382012-07-29T19:07:00.000+02:002012-07-29T19:11:27.811+02:00

Guids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations — under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com154tag:blogger.com,1999:blog-904470033638481177.post-25414574990472724702012-05-15T18:57:00.000+02:002012-05-15T19:08:39.007+02:00

A couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com76tag:blogger.com,1999:blog-904470033638481177.post-597394561953049602012-05-13T19:51:00.000+02:002012-05-13T19:51:54.363+02:00

I noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really friends but more aquaintances. I have used that list to block them from seing much of what's going on on my Facebook wall (hey, we can still be "friends" right?). Now suddenly some of these people started "Liking" stuff I posted. And that struck me as..... weird.

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com42tag:blogger.com,1999:blog-904470033638481177.post-77569821893424768442012-04-17T19:02:00.000+02:002012-04-17T19:02:21.902+02:00

Every once in a while I've really missed having a Unix shell on my Windows box. When your e.g. monitoring a log file, Notepad just doesn't cut it. I've been using Cygwin on and off as an alternative to get access to handy tools such as cat, grep, less, tail, vi and so on. But I haven't really been too excited about Cygwin. I discovered recently that

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com45tag:blogger.com,1999:blog-904470033638481177.post-53348333675356746942012-03-19T10:45:00.000+01:002012-03-19T10:45:04.227+01:00

Vittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference): WIF Tools for Visual Studio 11 Part I: Using The Local Development STS WIF Tools for Visual Studio 11 Part II: Manipulating Common WIF Settings From the UI WIF Tools for

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com43tag:blogger.com,1999:blog-904470033638481177.post-41314215965671689502012-03-06T17:08:00.000+01:002013-09-28T16:13:21.839+02:00

Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an empty response back, with no indication of what went wrong. Looking at the response with Fiddler yields: HTTP/1.1 500 Internal Server Error Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Mon, 05 Mar 2012 15:59:52 GMT Content-Length: 0 There's not much

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com331tag:blogger.com,1999:blog-904470033638481177.post-17052264144502033782012-03-02T18:11:00.000+01:002012-03-04T16:20:26.950+01:00

Windows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?): As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com82tag:blogger.com,1999:blog-904470033638481177.post-68325944321343865342012-02-20T18:22:00.000+01:002012-09-25T22:35:36.374+02:00

Today I had to add a new HttpModule to A LOT of web.configs. Adding it manually would be too tedious, so I had to figure out how to search for a single line in Visual Studio 2010 and replace it with two lines of text. If I could only find a way to search for some text, and replace it with several lines of text! Google turned up some hints about the Regex search, but no apparent solutions. After

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com32tag:blogger.com,1999:blog-904470033638481177.post-47152899178827697162012-01-11T20:15:00.000+01:002013-09-28T16:20:28.029+02:00

In connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues. This post assumes you are somewhat familiar with how character encodings work. You might want to check out my

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com29tag:blogger.com,1999:blog-904470033638481177.post-30030874884806609682012-01-08T20:58:00.000+01:002013-09-28T16:35:35.084+02:00

"FACE WITH TEARS OF JOY" (U+1F602) Text encoding is a persistent source of pain and problems, especially when you need to communicate textual information across different systems. Every time you read or create an xml-file, a text file, a web page, or an e-mail, the text is encoded in some way. If the encoding is messed up along the way, the receiver will be looking at strange characters

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com31tag:blogger.com,1999:blog-904470033638481177.post-60853959418475217262011-12-16T13:18:00.000+01:002011-12-19T16:01:23.054+01:00

Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fall

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com31tag:blogger.com,1999:blog-904470033638481177.post-17426202840793193742011-12-13T14:42:00.000+01:002011-12-13T14:42:28.987+01:00

Just now on Facebook I got the following advertisement: I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com. The title of the ad suggests that it

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com39tag:blogger.com,1999:blog-904470033638481177.post-59329970340497239552011-11-05T15:14:00.000+01:002011-11-05T15:14:13.711+01:00

A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of  your Twitter account to some Twitter application. Well, I just had a more encouraging experience! You've probably heard about this Klout thing. On Twitter there has lately been several

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com108tag:blogger.com,1999:blog-904470033638481177.post-33199325768777845292011-11-02T20:01:00.000+01:002011-11-02T20:10:52.324+01:00

Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version. tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders. Google's keyword tool

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com34tag:blogger.com,1999:blog-904470033638481177.post-30632564594282564942011-10-22T13:40:00.000+02:002011-10-22T13:40:57.575+02:00

Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real. I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com110tag:blogger.com,1999:blog-904470033638481177.post-76074163969407157352011-10-09T22:50:00.000+02:002011-10-09T22:50:04.329+02:00

Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was

Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com70