Posts tagged security
Today, i was just browsing around and stumbled upon a tool called nKrypt. It has been made by a programmer called Hugo Bonacci.
He made a rather interesting post about how to encrypt your web.config file. Thought its not a spot-on security solution for your asp.net projects but it does help by safeguarding your web.config file, if somebody got hands on them and changed them either for “evil” reasons or just by mistake.
Let me explain, suppose you have an enterprise applications in your company and you have made an asp.net application. Now many a times, a company has to share their source code repositories with their contractors which gives them a chance to snoop around in your web.config file which lays there open for anybody to get in and read in your darkest secrets. Though its not prevalent everywhere but many big (and small) companies do.
Another simple and more spot-on example would be, a junior engineer has joined in your company and is working on your project. He makes a mistake which allows a browser to get access to and download your web.config file. Though it doesnt seem likely but hey anything can happen.
So what does it hurt to get a bit of security. Isnt Prevention better than the cure?
So go about and download this simple tool and safeguard your web.config file from unauthorized access.
Beta web application Netalyzr is a free tool that analyzes your network for possible problems—large and small—helping you determine your overall network health.
As soon as you start the test (and agree to the security certificate), Netalyzer performs various tests on your computer’s connection. When the tests are complete, you’ll see an exhaustive rundown of all the results, including a handy “Noteworthy Events” section at the top that details the possible problem areas. Tests that pass are marked as green, minor problems are marked in yellow, and problems get the classic red. For a longer explanation of what each section is testing, just click the linked section title.
Did you give it a go? Let’s hear how your network handled the test in the comments.
If you’ve been using BitTorrent to download any of the more popular files, such as the latest episode of some major TV show, you may have found yourself receiving lots of “Wasted” data. This is data that has been discarded after being deemed corrupt or invalid by your BitTorrent client. Every so often, you will have received more wasted data than the size of the files you are downloading!
This is happening because Anti-P2P organizations are actively polluting P2P networks with fake peers, which send out fake or corrupt data in order to waste bandwidth and slow down file transfers. At its worst, when downloading major copyrighted torrents, as much as a fourth of the peers you are connected to can be attributed to various Anti-P2P agencies. There is also a much more serious side to this. Once you’ve established a connection to one of these fake “peers”, your IP has been logged and will most likely be sent to the RIAA/MPAA!
But there is a way to fight back! If you are using the latest µTorrent (1.5), you can employ a little known feature called IP filtering. The author of µTorrent has gone out of his way to hide it, but it’s there nonetheless.
But before we can activate this filter, we need to retrieve a list of currently known Anti-P2P organization IPs.
This is most easily done by downloading the latest blacklist from Bluetack (the same people who wrote SafePeer for the Azureus BT client) at http://www.bluetack.co.uk/config/nipfilter.dat.gz This list is updated daily, and contains all known Anti-P2P organizations, trackers and peers, aswell as all known Goverment/Military IP addresses as collected by the Bluetack team. Once downloaded, extract and rename the file original filename “ipfilter.dat” to “ipfilter.dat” in preparation for the final step.
EDIT ADD: FOR EVEN HIGHER SECURITY
Description: This list is all the blacklists bluetack makes put into a .dat.gz file for emule, now this will block some isp and also alot of things one may not think needed. Use at your own risk. This will have to be unzipped and then replace the .dat file manualy, in the config folder.
Version: Filesize: 0 bytes
Added on: 29-Apr-2005 Downloads: 39034
rename to “ipfilter.dat”
To make the list available to µTorrent, you need to place the renamed ipfilter.dat file in %AppData%\uTorrent. Go to Start -> Run and type %AppData%\uTorrent at the box. Click Ok button and a folder will appear.
After placing the ipfilter.dat in this folder, start µTorrent and go into preferences (Ctrl+P), then click on “Advanced”. In the right hand pane, make sure that “ipfilter.enable” is set to true, and then close the dialog. That’s it for the configuration.
You can verify that the list has been loaded by looking under the “Logging” tab of µTorrent, where you should see the line “Loaded ipfilter.dat (X entries)”.
Congratulations! You are now protected against most of the garbage-distributing peers; and the likelyhood of the RIAA or MPAA knocking at your door has been substantially reduced! I’d go as far as to say that you shouldn’t be using µTorrent at all without this feature turned on! And even if the law enforcement side of it doesn’t bother you, you should still be interested in reducing the amount of garbage data that gets sent your way, which in turn leads to quicker downloads, and isn’t that something everybody should strive for?
Note: It’s advised that you update the list at least once a month, to keep you updated on the movement of the Anti-P2P organizations. One tool that will aid you getting these updates is the “Blocklist Manager” from the same people who made the list; go to http://www.bluetack.co.uk/ and download it. On a related note, this note from the µTorrent FAQ should come in handy: “To reload ipfilter.dat without restarting µTorrent, simply open the preferences (ctrl+p), and press enter to close it again.”
Credit : Thanks to jesusisapervert for this tip!
A serious security hole in the latest iPhone software exposes e-mail, text, and voice messages to whoever gets a hold of the device despite it being password-protected.
Basically, clicking emergency call and double-clicking the “home” button brings up the favorites on iPhone 2.0.2, which opens up the address book, the dial keypad and voice mail, according to a report on Engadget, which got the tip on the hole from the MacRumors Forum.
Then, clicking on the blue arrows next to the names gives access to private information in a favorite entry, clicking in a mail address opens up the mail application, clicking on a URL in the contact information opens up Safari, and clicking on “send a text message” in a contact gives full access to the text messages.
The report suggests using the “home” setting so that double-clicking on the home button will take whoever is holding the phone to the unlock screen page.
Engadget reports that a fix for the hole will be included in the next firmware update, but it’s not known when that update will come.
Representatives from Apple did not respond to e-mails seeking comment.
Microsoft on Thursday released an improved security filter for its Internet Information Service (IIS) Web server that is designed to help thwart SQL injection attacks. The free application, called UrlScan 3.0 (Release-to-Web version), is an add-on tool to IIS that provides real-time verification of HTTP server requests, potentially blocking malicious code.
SQL injection attacks have become worldwide problem in the last eight months or so. They affect Web sites built using Microsoft’s popular ASP or ASP.NET code, or code enabling dynamic Web sites.
In June, Microsoft issued Security Advisory 954462, explaining that the SQL injection attack problem did not lie with SQL Server per se. Rather, poor security practices in Web applications are to blame, company officials explained.
A SQL injection attack is a direct attack on SQL Server by means of malicious code in a query string, which is passed to SQL Server through an Internet application. If the right safeguards are not in place, the code could be executed by Microsoft SQL Server, causing havoc on the Web site’s back end.
UrlScan has been available for about five years, but Microsoft added some new features in Version 3.0. Perhaps the most important improvement is that UrlScan 3.0 provides support for query string scanning.
For technical reasons, previous versions of UrlScan did not examine the query string in the server request. Instead, UrlScan Version 2.5 blocked server requests based on aspects such as URL string length, according to Wade Hilmo, Microsoft’s senior development lead on the IIS product team, the team that wrote UrlScan.
“In [UrlScan] 3.0, we added the ability to do filtering based on the query string, in addition to the URL,” Hilmo said. “We also added the ability to create more granular rules that can be targeted to specific types of requests. For example, you can write a rule that only applies to ASP pages or PHP pages, which is something you would never be able to do in UrlScan 2.5.”
Another improvement for developers is the ability to specify a safe list of URLs and query strings that can bypass UrlScan checks. In addition, Version 3.0 uses W3C-formatted logs for ease of analysis.
Version 3.0 of UrlScan is compatible with the configuration files administrators used with Version 2.5, so those settings are retained on an upgrade to a production server. Microsoft also added support for 64-bit IIS processes with this version.
Those using Microsoft’s latest Web server, IIS 7.0, already have UrlScan 2.5 features built into a component of IIS called the Request Filter, Hilmo said. Microsoft plans to update IIS 7 in the future to add the new features in UrlScan 3.0 to IIS 7.0, according to Hilmo’s blog.
UrlScan 3.0 is by no means a Web security cure all. Hilmo described it as a “stopgap measure” that can be used to protect the server. Security ultimately needs to be enforced in the Web application itself.
“Really the application running on the server is the only piece of code that actually knows what the SQL query is intended to do,” Hilmo explained. “So the fix for the root cause is for application developers to go in and do the validation and make sure that the SQL data that they are sending to the SQL Server is what they intend.”
He pointed people to Microsoft’s articles on best practices for Web application development to learn how to guard against attacks.
A couple of resources are available on the Microsoft Developer Network Web site:
- “How To: Protect From SQL Injection in ASP.NET” and
- “Improving Web Application Security: Threats and Countermeasures.”
For a relatively short list of blog resources on preventing SQL injection problems, go here.