February 17th, 2007 by
mb
A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes around them. Anyone with the permissions to create a file in the root directory could create a malicious program that could escalate their privileges. Here’s an excerpt from that article: Read the rest of this entry »
Posted in Application Security, Hardening, Malware, Tools | 
15 Comments »
February 15th, 2007 by
mb
One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security sites that you rarely visit, some times it just isn’t appropriate. What do you do, for example, when your e-mail address changes? Read the rest of this entry »
Posted in Application Security | No Comments »
February 15th, 2007 by
mb
If you do any kind of .NET web development, it would be well worth your time to dig through Microsoft’s Patterns & Practices Security Wiki
The Wiki is a good index of old articles and a launching point for new articles on secure web development. Even if you have a small web application, it doesn’t hurt to be part of the solutions, not part of the problem.
Posted in Application Security | No Comments »
February 6th, 2007 by
mb
I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is to show even the last 4 digits. Can someone easily guess my full SSN with just the last 4 digits? Read the rest of this entry »
Posted in Application Security, Privacy | 1 Comment »
February 2nd, 2007 by
mb
Today I ran across a Firefox add-on that automatically fills out the CAPTCHA form when you log in:
https://addons.mozilla.org/firefox/4381/
Although some might think this is convenient, it obviously shows that eBay’s CAPTCHA, like so many others, fails to prevent automated form filling. So many CAPTCHA’s are poorly implemented either on the development end, the visual end, or on the user experience end that they are starting to get a bad reputation. Read the rest of this entry »
Posted in Application Security | No Comments »
January 30th, 2007 by
mb
I am now making available a freeware desktop version of Pafwert, a strong password generator. Although it looks simple on the surface, Pafwert is a complex software application I built based on years of research on passwords and password security.
Larger Screen Shot
Read the rest of this entry »
Posted in Application Security, Passwords, Privacy, Tools, Windows Security | 1 Comment »
December 10th, 2006 by
mb
I am constantly frustrated with poor security implementations I see all around the web. Often, these mistakes could be avoided by never breaking the simple security rules. One of these rules wrote about in my book Hacking the Code is that you should always ask for the username and password at the same time. This prevents others from harvesting user names from your login process. User names normally are not secrets, but if someone had collections of usernames from say, banks, they could launch more effective and targeted phishing attacks.
Read the rest of this entry »
Posted in Application Security | No Comments »
