17 July 2008
[rant] SSL=Security
<rant> When in the world people will understand SSL is just one aspect of security. Are we still living in 90s? This is a tax filing season in India. And being onsite I want to file it online. And ALL of the web sites I visit they assure me my data Read More...
0 Comments
Filed under: ,
 
16 February 2008
Forgot password security design
To err is human. To forget is even more human Let’s delve into some of the design considerations. Your comments are greatly appreciated. 1. Pre-Canned Questions or User Defined Questions ? My colleague Rocky blogged about it. A must read! 2. Never send Read More...
0 Comments
Filed under: , , ,
 
15 November 2007
Security Summit 2007
I will be speaking at http://www.microsoft.com/india/security/ss-dev.aspx Drop me a mail if you want to meet me in person at Chennai and/or Kolkatta. Gaurav.Kumar@ youknowwhat.com Read More...
0 Comments
Filed under:
 
31 October 2007
CryptAcquireContext with CRYPT_SILENT flag
I tried to open a file. I got accessed denied error. No problem, lemme check ACL and finally the “effective permission”. Oh! I have full access. Hmmm…..What could be wrong? OK, lemme see if the file is encrypted. Yes, it is. Do I have corresponding certificate? Read More...
0 Comments
Filed under: ,
 
25 October 2007
SQL sevrer Lock table and Hollywood business
Could there be a security risk by locking a database table? Even if there is a risk, could it impact Hollywood? Consider this. Suppose you are running a website which provides movie tickets (Or DVD rental) booking service. As new movies are released, Read More...
1 Comments
Filed under: , ,
 
22 October 2007
IIS authentication methods
No, this is not yet another tutorial on how to use IIS authentications methods. This post is about how to find out "effective" authentication method. Q: In the pic below, what will be the authentication method used by IIS? If you took more than 2 seconds Read More...
2 Comments
Filed under: ,
 
16 October 2007
Unnecessary authentication part II
Here is another example. I stumbled upon this website (see attached pic) which was asking me username, password AND HIP (captcha image) I hadn’t made any wrong password attempts and also checked it from my home connection. I just don’t understand why Read More...
0 Comments
Filed under:
 
Attachment(s):Untitled.jpg
10 October 2007
DPAPI entropy tip and importance of obfuscation
Have you ever wondered why CryptProtectData function asks for "Optional Entropy"? Entropy in crypto world is defined as "randomness". Though is quite difficult for a computer to generate true random value, in this context of DPAPI one can choose a random Read More...
0 Comments
Filed under: ,
 
03 October 2007
Unnecessary authentication
After a long time I called up my share broker customer support. They are India’s one of the best and biggest broker. I was greeted with an automated message “please dial your customer id”. I did. And then “please enter your PIN”. I did. And then comes Read More...
0 Comments
Filed under:
 
17 September 2007
RMS myth
A few weeks back I got a link to a software which enables the options disabled by RMS . So its like if I get one RMSed email which has "do not reply all" set, I can run software which will enable the reply all button on my outlook bar. And hence, RMS Read More...
0 Comments
Filed under:
 
09 September 2007
gethash() is not security function
Consider getHash () function. Going by the name, one could think of it as some sort of "hashing" in cryptography word. Let me warn you, its NOT a function to be used for data integrity assurance. It is NOT a security related function. I stumbled upon Read More...
0 Comments
Filed under: ,
 
27 April 2007
when not to use DPAPI
DPAPI is great. only when used in appropriate scenario. Consider this, You encrypt data using DPAPI and latter move ( not copy) the data to the other machine. Now you try to decrypt the data on other machine and it fails. Okay, you change the password Read More...
0 Comments
Filed under:
 
Page view tracker