How does your company do "Enterprise" Password Management?
We've talked about personal password management here but how do you guys manage your passwords at a company wide level? ...
security
Best security practices in Linux
What security best-practices would you strongly recommend in maintaining a Linux server? (i.e. bring up a firewall, disable unnecessary services, beware of suid executables, and so on.) Also: is there a definitive reference on Selinux? EDIT: Yes, I'm planning to put the machine on the Internet, with at least openvpn, ssh and apache (at...
Are HTTPS headers encrypted?
When sending data over HTTPS, I know the content is encrypted, however I hear mixed answers about whether the headers are encrypted, or how much of the header is encrypted. How much of HTTPS headers are encrypted? Including GET/POST request URLs, Cookies, etc. ...
Security, crytography: Stupid Challege - Response protocol??
Ok guys just a small game: I have some specifications for a project. At some point they ask for the following to encrypt a password over the net, saying that it is a challenge response protocol: CLIENT ----------------------------- SERVER (1)ask for challenge --------------> (2) <---------------------------- send SHA1 taken from ...
UnauthorizedAccessException with IIS7
I'm trying to write a log file from an ASP.NET application under IIS7, but keep getting the following exception: UnauthorizedAccessException "Access to the path 'C:\Users\Brady\Exports' is denied." I have given write access to the iis_iusrs, iis_wpg, and aspnet users, based on various advices found by Google, but still get the er...
How are ssl certificates verified?
What is the series of steps needed to securely verify a ssl certificate? My (very limited) understanding is that when you visit an https site, the server sends a certificate to the client (the browser) and the browser gets the certificate's issuer information from that certificate, then uses that to contact the issuerer, and somehow com...
Prevent programmers from knowing passwords used at runtime
My application connects to an FTP server with a username and password. I can create an encryption routine to encrypt and decrypt the password, but anybody with access to the source code and the encrypted password can decrypt the password. Is there an easy way to prevent every human being from knowing the entire password used by an appl...
WCF transport security with no authentication
Is it possible to have transport security without authentication? I'm well aware of it's flaws but atm I can't install a certificate a the client side. It seems I can set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None, but when I try to call the service I get this exception: An erro...
Why isn't my .net-calculated MD5 hash equivalent to the hash calculated on a web site?
I am trying to generate equivalent MD5 hashes in both JavaScript and .Net. Not having done either, I decided to use against a third party calculation - this web site for the word "password". I will add in salts later, but at the moment, I can't get the .net version to match up with the web site's hash: 5f4dcc3b5aa765d61d8327deb882cf99...
How Can I test my web site for SQL injection attacks?
What automated tools are there? ~~ Mark Harrison ~~ ...
A simple, medium secure,login protocol??
Hello there!!! I asked here about a protocol that I was asked to implement, and how secure it was. Since it seemed clear from the very beginning that it was shit. Being so I ask: Can you guys point me to some very simple login protocol (I am null at cryptography systems)?? I am developing both server and client side of the application ...
How secure is sending sensitive data over https?
I would like to ask you about your opinion guys. Is SSL secure enough for using sensitive data (like password) in query string? Is there any extra options to implement? thanks for any word.X. ...
IIS Manager IIS6 Rights Management on Windows Server 2003
We are using a dedicated hosting provider to host several of our public websites. There are two development teams/divisions within our company who each maintain public websites on these same servers. Is there a way through ACLs or some sort of rights management (e.g. individual logins) that I would only be able to see and maintain only...
Password protected .NET ClickOnce deployment?
How can I protect a ClickOnce deployed application with a password? Do I have to change the IIS settings of the web or is there a way to do it programmatically? I'm using Visual Studio 2005 (.NET 2.0). If I have to use web credentials, are auto-updates of the application still possible? Would be great if you could provide some sample c...
Is Javascript a proper platform for cryptography? Or, can it be?
I noticed a good while back that Wikipedia links to a Javascript implementation of different hash functions. Also found Clipperz Crypto. Even Mozilla implements a crypto object in Firefox. So, Is Javascript a proper platform for cryptography? Or, can it be? Or, I suppose.. Are there any purposes or benefits for hashing data before POST?...
Does this set of regular expressions FULLY protect against cross site scripting?
What's an example of something dangerous that would not be caught by the code below? EDIT: After some of the comments I added another line, commented below. See Vinko's comment in David Grant's answer. So far only Vinko has answered the question, which asks for specific examples that would slip through this function. Vinko provided...
How can I gain root access on a Mac OS X system without wiping the OS?
My father died recently and I've inherited his Mac. I'd love to put it to use in my own life, but I don't want to wipe its brains out just so I can reconfigure it to use in my network, etc. His old files are historically important to meI trust you can understand my desire to keep them. I can log in as I had an account on the machine bef...
Secure access to files in a directory identified by an environment variable?
Can anyone point to some code that deals with the security of files access via a path specified (in part) by an environment variable, specifically for Unix and its variants, but Windows solutions are also of interest? This is a big long question - I'm not sure how well it fits the SO paradigm. Consider this scenario: Background: Sof...
Searching for a safe way to do authentication from a mobile app
I've inherited a mobile app which sends auth credentials (userid/password) in the clear. I'd imagine that I have 2 choices: a) use TLS. b) write my own auth protocol. If I choose (b) what are the key guidelines that I must follow to make it it secure. e.g. how to avoid replay attacks, encryption strategies. Thanks ...
WCF self-hosted service with transport security (Authentication failed because the remote party has closed the transport stream.)
Hi, I have a self-hosted service that I want to add transport security to. I've set WSHttpBinding.SecurityMode to Transport and the ClientCredentialType to HttpClientCredentialType.None. I've created a certificate and set it to my host with ServiceHost.Credentials.ServiceCertificate.SetCertificate() I've also registered it using netsh h...