tag:blogger.com,1999:blog-9044700336384811772024-03-18T21:11:52.067+01:00The .NET n00bSoftware security blog by André N. Klingsheim, who's learning to love .NET and Microsoft servers.Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.comBlogger76125tag:blogger.com,1999:blog-904470033638481177.post-56384972159453661952015-10-01T17:33:00.000+02:002015-10-01T17:33:21.701+02:00When you just can't copy autorun.inf
I just ran into a weird problem while creating a bootable USB-stick, it was impossible to do a full copy of the files from an .iso. I tried robocopy, xcopy, and even resorted to a file copy through the file explorer. Robocopy consistently reported the following error though:
2015/10/01 17:10:49 ERROR 5 (0x00000005) Copying File g:\autorun.infAccess is denied.
It turned out that the antivirus Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com461tag:blogger.com,1999:blog-904470033638481177.post-83228998325003969822014-04-24T23:51:00.000+02:002014-04-24T23:51:40.489+02:00NUnit and Visual Studio OnlineVisual Studio Online looks pretty cool so I’ve decided that I'll use it for the next NWebsec release. The project setup was relatively straightforward and painless, but I hit a speed bump when I ran the first build of NWebsec.
The first build was successful, but it didn’t run the unit tests. The build log contained the following warning:
No test found. Make sure that installed test discoverers Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com211tag:blogger.com,1999:blog-904470033638481177.post-13830790677223833552013-10-13T15:39:00.000+02:002015-02-16T21:30:35.045+01:00Hardening Windows Server 2008/2012 and Azure SSL/TLS configuration
I guess it was long
overdue for me to follow up on my Hardening Windows Server 2003 SSL/TLS configuration and Windows server 2003 vs 2008, SSL/TLS comparison posts. They
were two of my very first blog posts and they still receive a
decent amount of traffic. The world has fortunately moved forward since then,
so in this blog post we’ll have a look at the default configuration of recent
WindowsKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com937tag:blogger.com,1999:blog-904470033638481177.post-84049204271804314392013-09-14T23:50:00.000+02:002013-09-14T23:50:14.089+02:00The "Unable to remove directory "bin\Release\app.publish\" Azure packaging errorJust a quick note on an error I often run into when I'm working on my Azure applications. I usually create Azure packages and upload them by hand through the Azure management portal. Ever so often I get the following error when I create the package in Visual Studio (2012).
Unable to remove directory "bin\Release\app.publish\". Access to the path 'AzureStartupTest.Azure.cspkg' is denied.
Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com156tag:blogger.com,1999:blog-904470033638481177.post-22729283937561101132013-07-17T02:50:00.000+02:002013-11-07T22:22:54.242+01:00Ramping up ASP.NET session securityOWASP recently released their Top Ten 2013 list of web application vulnerabilities. If you compare the list to the 2010 version you’ll see that Broken Authentication and Session Management has moved up to second place, pushing Cross Site Scripting (XSS) down to third place. Apparently authentication and session related issues are moving up in the world!
It’s not that surprising, there’s so Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com242tag:blogger.com,1999:blog-904470033638481177.post-41470917700448199522013-06-29T17:50:00.000+02:002013-09-28T15:42:00.747+02:00Outlook.com, custom domains, and ActiveSyncMicrosoft's widely used e-mail service Hotmail was recently overhauled and rebranded Outlook.com. One of the less known services they provide is the support for custom domains. A couple of months ago, I was looking for a new (preferably free) e-mail service for my personal domain. It turned out Outlook.com had everything I needed!
To set up a custom domain, you'll first have to log in to the Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com166tag:blogger.com,1999:blog-904470033638481177.post-10150498317715181522013-03-03T23:46:00.000+01:002013-03-03T23:46:09.533+01:00Some important ASP.NET 4.5 security improvementsThe .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file. The documentation is a bit scattered over MSDN and MSFT blogs, I figured I'd collect them here for easy reference.
The ASP.NET team published a nice article on What's NewKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com240tag:blogger.com,1999:blog-904470033638481177.post-43736487304013106992013-01-09T23:07:00.000+01:002013-09-28T17:15:19.504+02:00How to encrypt a custom configuration section in ASP.NETRecently I wrote a piece of software that needed some configurable secrets — and they needed to be VERY secret. Consequently, I had to encrypt a custom configuration section. Unfortunately, I quickly ran into trouble and got an error message along the lines of:
Encrypting configuration section...
An error occurred creating the configuration section handler for myConfigSection: Could not load Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com176tag:blogger.com,1999:blog-904470033638481177.post-24047738489522067552012-09-06T23:31:00.000+02:002015-02-16T21:33:53.507+01:00Security through HTTP response headers
Security headers in an HTTP response
There are many things to consider when securing a web application but a definite "quick win" is to start taking advantage of the security HTTP response headers that are supported in most modern browser. It doesn't matter which development platform you use to build your application, these headers will make a notable difference for the security of your Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com777tag:blogger.com,1999:blog-904470033638481177.post-61132455973422679382012-07-29T19:07:00.000+02:002012-07-29T19:11:27.811+02:00Generating secure GuidsGuids are used extensively throughout Microsoft systems and developers tend to turn to Guid.NewGuid() whenever they need to create a value to uniquely identify something. Guids might also be used as keys or identifiers in security critical operations — under the assumption that they are hard to guess for an attacker. I've been looking around the Internet to see if I could find some guidance on Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com150tag:blogger.com,1999:blog-904470033638481177.post-25414574990472724702012-05-15T18:57:00.000+02:002012-05-15T19:08:39.007+02:00Towards more secure password hashing in ASP.NETA couple of weeks ago I was remotely involved in a discussion on password hashing in .NET with @thorsheim, @skradel, and @troyhunt. (Follow them if you're on Twitter). The background for the discussion was that password hashing using MD5/SHA-1/SHA-256 isn't quite the state of the art anymore. All the recent password breaches have triggered recommendations to make password cracking harder. The Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com68tag:blogger.com,1999:blog-904470033638481177.post-597394561953049602012-05-13T19:51:00.000+02:002012-05-13T19:51:54.363+02:00How Finnish disco killed my privacyI noticed some unexpected activity on my Facebook wall the other day. I have a special list of "friends," who aren't really friends but more aquaintances. I have used that list to block them from seing much of what's going on on my Facebook wall (hey, we can still be "friends" right?). Now suddenly some of these people started "Liking" stuff I posted. And that struck me as..... weird.
Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com37tag:blogger.com,1999:blog-904470033638481177.post-77569821893424768442012-04-17T19:02:00.000+02:002012-04-17T19:02:21.902+02:00Get the UNIX feel in Windows 7Every once in a while I've really missed having a Unix shell on my Windows box. When your e.g. monitoring a log file, Notepad just doesn't cut it. I've been using Cygwin on and off as an alternative to get access to handy tools such as cat, grep, less, tail, vi and so on. But I haven't really been too excited about Cygwin.
I discovered recently that Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com39tag:blogger.com,1999:blog-904470033638481177.post-53348333675356746942012-03-19T10:45:00.000+01:002012-03-19T10:45:04.227+01:00Promising new WIF toolsVittorio Bertocci has shared some exciting news about the upcoming WIF tools for Visual Studio 11 on his blog. The tools look really nice, especially the local development STS. Here are the direct links (for future reference):
WIF Tools for Visual Studio 11 Part I: Using The Local Development STS
WIF Tools for Visual Studio 11 Part II: Manipulating Common WIF Settings From the UI
WIF Tools for Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com38tag:blogger.com,1999:blog-904470033638481177.post-41314215965671689502012-03-06T17:08:00.000+01:002013-09-28T16:13:21.839+02:00IIS 500 errors leave clues in the log
Yesterday I was playing around with the validateIntegratedModeConfiguration="true" setting on IIS 7.5. To my surprise I got an empty response back, with no indication of what went wrong.
Looking at the response with Fiddler yields:
HTTP/1.1 500 Internal Server Error
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 05 Mar 2012 15:59:52 GMT
Content-Length: 0
There's not much Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com334tag:blogger.com,1999:blog-904470033638481177.post-17052264144502033782012-03-02T18:11:00.000+01:002012-03-04T16:20:26.950+01:00How to enable WIF token replay detectionWindows Identity Foundation (WIF) is vulnerable to replay of security tokens in its default configuration. The "Replay Detection" article on MSDN presents a good example of how things can go wrong without the replay detection (why do everyone have to use online banking as their example?):
As another example, suppose that a user opens a browser on a public kiosk, logs on to a bank Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com79tag:blogger.com,1999:blog-904470033638481177.post-68325944321343865342012-02-20T18:22:00.000+01:002012-09-25T22:35:36.374+02:00Multiline search and replace in Visual StudioToday I had to add a new HttpModule to A LOT of web.configs. Adding it manually would be too tedious, so I had to figure out how to search for a single line in Visual Studio 2010 and replace it with two lines of text. If I could only find a way to search for some text, and replace it with several lines of text!
Google turned up some hints about the Regex search, but no apparent solutions. After Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com32tag:blogger.com,1999:blog-904470033638481177.post-47152899178827697162012-01-11T20:15:00.000+01:002013-09-28T16:20:28.029+02:00How not to hash passwords in .NETIn connection with a bug in TransformTool, I've been looking into how text encoding is handled in the .NET framework. Turns out there are some caveats that can affect the correctness of a program, and when used in e.g. password validation they might turn out to be severe security issues.
This post assumes you are somewhat familiar with how character encodings work. You might want to check out myKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com25tag:blogger.com,1999:blog-904470033638481177.post-30030874884806609682012-01-08T20:58:00.000+01:002013-09-28T16:35:35.084+02:00Introduction to character encoding
"FACE WITH TEARS OF JOY" (U+1F602)
Text encoding is a persistent source of pain and problems, especially when you need to communicate textual information across different systems. Every time you read or create an xml-file, a text file, a web page, or an e-mail, the text is encoded in some way. If the encoding is messed up along the way, the receiver will be looking at strange characters Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com30tag:blogger.com,1999:blog-904470033638481177.post-60853959418475217262011-12-16T13:18:00.000+01:002011-12-19T16:01:23.054+01:00IE auto-upgrades, plugins next?Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fallKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com25tag:blogger.com,1999:blog-904470033638481177.post-17426202840793193742011-12-13T14:42:00.000+01:002011-12-13T14:42:28.987+01:00See pics of women, freeJust now on Facebook I got the following advertisement:
I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com.
The title of the ad suggests that itKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com31tag:blogger.com,1999:blog-904470033638481177.post-59329970340497239552011-11-05T15:14:00.000+01:002011-11-05T15:14:13.711+01:00Twitter app privacy, there just might be hope!A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of your Twitter account to some Twitter application. Well, I just had a more encouraging experience!
You've probably heard about this Klout thing. On Twitter there has lately been several Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com108tag:blogger.com,1999:blog-904470033638481177.post-33199325768777845292011-11-02T20:01:00.000+01:002011-11-02T20:10:52.324+01:00Base64 decode online — are you sure?Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version.
tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.
Google's keyword tool Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com34tag:blogger.com,1999:blog-904470033638481177.post-30632564594282564942011-10-22T13:40:00.000+02:002011-10-22T13:40:57.575+02:00Update Java — or just remove itOracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.
I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I gotKlingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com108tag:blogger.com,1999:blog-904470033638481177.post-76074163969407157352011-10-09T22:50:00.000+02:002011-10-09T22:50:04.329+02:00A Google 2-step verification vulnerabilityEarly this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was Klingshttp://www.blogger.com/profile/18038484174148191761noreply@blogger.com70