Xato : Application Security

Lesson two on what not to do with a CAPTCHA

MB's Windows Security — Wed, 22 Aug 2007 18:02:54 GMT

In my previous post on CAPTCHAs I mentioned that “…you need to make sure the end user can’t do anything to influence what code you pick.” For this example, I will pick on captchas.net, which provides a free CAPTCHA service for anyone...(read more)

These CAPTCHAs are just not working out

MB's Windows Security — Wed, 22 Aug 2007 01:47:17 GMT

Filling out a web form without also having to pass a CAPTCHA test nowadays is pretty rare. CAPTCHAs weren’t really that annoying to me when they were more of a rare occurrence but I have been finding myself more and more bothered with them lately...(read more)

The Program.exe Problem

MBs Windows Security — Sat, 17 Feb 2007 19:30:07 GMT

A couple years ago I mentioned in a SecurityFocus column that Windows has a problem when you put a file named “program.exe” in the system root directory. The problem is basically in how it deals with spaces in paths that don’t have quotes...(read more)

Be Smarter with Account Names

MBs Windows Security — Fri, 16 Feb 2007 01:28:50 GMT

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is...(read more)

Patterns & Practices Security Wiki

MBs Windows Security — Thu, 15 Feb 2007 23:36:14 GMT

If you do any kind of .NET web development, it would be well worth your time to dig through Microsoft’s Patterns & Practices Security Wiki The Wiki is a good index of old articles and a launching point for new articles on secure web development...(read more)

My SSN is showing?

MBs Windows Security — Wed, 07 Feb 2007 00:34:46 GMT

I got an e-mail earlier this week from a financial web site. The e-mail displayed the last 4 digits of my U.S. social security number. Presumably, they didn’t show the entire number for security reasons, but I wondered how secure that really is...(read more)

Yet another failed CAPTCHA?

MBs Windows Security — Sat, 03 Feb 2007 00:02:13 GMT

Today I ran across a Firefox add-on that automatically fills out the CAPTCHA form when you log in: https://addons.mozilla.org/firefox/4381/ Although some might think this is convenient, it obviously shows that eBay’s CAPTCHA, like so many others...(read more)

Pafwert: Smarter Passwords

MBs Windows Security — Wed, 31 Jan 2007 04:30:35 GMT

Pafwert is an unique free tool to help you to select strong passwords that are easy to remember. Read More......(read more)

Anti-phishing system can make phishing worse

MBs Windows Security — Mon, 11 Dec 2006 04:28:50 GMT

I am constantly frustrated with poor security implementations I see all around the web. Often, these mistakes could be avoided by never breaking the simple security rules. One of these rules wrote about in my book Hacking the Code is that you should always...(read more)