Johannes Ullrich is the Chief Research Officer for the SANS Institute, where he is responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. Prior to working for SANS, Johannes worked as a lead support engineer for a Web development company and as a research physicist. Johannes holds a PhD in Physics from SUNY Albany and is located in Jacksonville, Florida.
1. There have been so many reports of passwords being stolen lately. What is going on? Is the password system that everyone is using broken?
Passwords are broken. A password is supposed to be a secret you share with a site to authenticate yourself. In order for this to work, the secret may only be known to you and that particular site. This is no longer true if you use the same password with more than one site. Also, the password has to be hard to guess but easy to remember. It is virtually impossible to come up with numerous hard to guess but easy to remember
A very serious vulnerability in ASP.NET was revealed this past month that allows attackers to completely compromise ASP.NET Forms Authentication, among other things. When things like this happen, as developersit's important to see what lessons can be learned in order to improve the defensibility of our software.
Source: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
This vulnerability illustrates a couple of important lessons that all developers should take note of:
- Doing cryptography correctly is challenging
- Don't store sensitive information on the client
They've fixed the first issue with an out of bandpatch
which means Microsoft took this vulnerability as a very real and serious threat to ...
Checking the integrity of code you download is important and has to be done not just for the initial download, but for updates as well. We will discuss the options to implement integrity checks correctly.
I regularly get consulted on various web application security issues and defensive strategies. One of the recent "frequently asked questions" is around database encryption of web application. My answers to these kind of questions usually lead to awkward looking faces. I always start off asking more questions about the requirements, "Who are you trying to protect the data from?" and "What data are you trying to protect?" The answers to those questions are usually good indicator whether the person is on the right path or not.
In most cases, database encryption does not prevent the hacker from accessing the backend database via an application compromisse. The reasoning is very simple. If the web application needs to be able to access the data for normal operation and hackers are able to compromise the application, the hackers can essentially access the same data by controlling the applicaton (attacker owns the application). Encryption does not prevent a hacker to access the