How safe is openID?
Is this something that can be used for highly secure information or should it be bypassed for a single site authentication system? This may be a stupid question (as it does not sound secure) but I would like some advice. ...
security
Is database encryption less safe than application encryption?
I receive data, and use aes or blowfish to encrypt it before saving it to the database, so the encryption is done at the application level. If someone steals the database, the data will be relatively safe unless they stole the application also (where the key is stored/accessed). I'm now looking into database encryption with libraries l...
CP-ABE and ABE API
Is there any Java or .Net implementation (API) available for Ciphertext-Policy Attribute-Based Encryption or for Attribute-Based Encryption ...
MCRYPT_DEV_RANDOM always the same
I'm using MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM as part of blowfish encryption, but I'm noticing it outputs the same random digit every time. It differs from machine to machine, but it's the same in each machine. Is this normal? Does it affect the strength of the initialization vector (IV) I generate with it? ...
How can I programmatically edit the hosts file in Windows 7/Server 2008?
I'm writing a little WPF utility to manage entries in the hosts file for dev purposes. As you might know the hosts file is protected by the newer OSs (Win 7/2008/Vista). I've added a manifest to my application to set the requestedExecutionLevel to "requireAdministrator", as detailed here (using "the easy way") and in the related questio...
Windows 7 How to write to "Programs Folder\app directory" using visual studio
I have developed software and am trying to protect it from being copied from one machine to another by writing all of the machine MAC addresses to a text file in the root apps folder for the program on the first run of the app. Everytime the app is run thereafter it checks to see if the text file is there and compares data in the text f...
Ways to make Javascript code hacking / injection / manipulation difficult?
Are there ways to prevent, or make it difficult enough, for someone to inject Javascript and manipulate the variables or access functions? A thought I had is to change all var names randomly on each reload so the malware script would need to be rewritten every time? Or are there other less painful ways? I understand that eventually some...
What's the best way to write to linux system files using PHP
We need some scripts to generate config files for network services such as DHCP, DNS and Network based on user input. These require root access, but I don't know how to run the PHP application as root. It's run through a public web interface. ...
Data leakage in db-level encryption
I read a comment that when doing the data encryption at the database level as opposed to application level, some of the data will linger in its raw plain text format in the logs. True or false? and is it something I should worry about? ...
.NET : Set Active Directory security via Web.config only
Our application requires Active Directory for users to access it. Our goal is to split the business logic and the security. Here is what I try to do but did not succeed yet : 1) Connect to Active Directory via web.config. 2) Specify groups needed for each .aspx page in the web.config file. (e.g.: index.aspx = admin, users) 3) Redire...
What security problems could come from exposing phpinfo() to end users?
If a phpinfo() dump is shown to an end user, what is the worst that a malicious user could do with that information? What fields are most unsecure? That is, if your phpinfo() was publicly displayed, after taking it down, where should you watch/focus for malicious exploits? I'm wiki'ing this up, so that we can compile answers. ...
Using the same salt for multiple fields
I have a field in a row that I'm hashing and salting. The salt for each row is different. I decided to hash/salt a couple of more fields in each row. Would using the same salt for those new fields in the same row make the data more susceptible to rainbow attacks compared to if I were to generate a new salt for each field? My logic is t...
Should I use the NetNamedPipe binding in WCF for security reasons?
The WCF documentation says that the "Net Named Pipe" binding can be used for fast interprocess communication on a single machine. It cannot be used for communication across machines. I would like to know if using the Net Named Pipe binding will protect my service from being attacked from outside the network. I've been told that the an...
Spring JmsTemplate + Security
I've just refactored some code that published to a JMS topic to use Spring's JmsTemplate class and now I'm receiving an exception stating I'm not authenticated. Previously I created the factory, made a connection, then session etc as follows: MQTopicConnectionFactory factory = new MQTopicConnectionFactory(); factory.setQueueManager(qMg...
How to pass out-of-band (current User Id) data to SQL Server 2008.
We have a web application that uses forms authentication to authenticate a user based on a user table in the database. (I.e. no active directory or SQL server user accounts are involved here). The web application accesses the SQL server using a service account. However, for auditing, authorization and other purposes, our stored proced...
Help with the calculation (and usefulness) of password entropy
This is a two part question: Part 1 First, dealing with calculating the entropy of a password in PHP. I have been unable to find any code examples that are empirically sound and would really like some help in finding the 'right' way to calculate a final number. A lot of folks on the net have their own home-baked weighting algorithm, ...
Is it safe to store credit card and pricing information in ViewState even over ssl?
The Title pretty much says it all but to clarify more I have a page with private properties that are storing a credit card object and a shopping cart object in viewstate so I can maintain a reference to them across postbacks. BTW the page involved will be using ssl. Is this safe? Thanks!!! ...
How can I make sure someone is not sending fake data ?
Hey guys, I've been reading Stack Overflow for quite some time, but this is my first posted question. I have this tracking program written in C# which collects information about local computer usage and sends them to a server. The data is XML-formatted, sent once per ~10 minutes. My problem: no matter how I encrypt the XML data (be it...
Are OpenID Identity URLs sensitive information?
Are OpenID Identity URLs considered sensitive information? For example, is it safe to store plain text OpenID Identity URLs in a DB or whatnot? I can't think of any reason that you shouldn't... but damn am I good at being wrong sometimes! ...
Protect iPhone app from hackers
I'm developing some iPhone application and I'm very frustrated when some of my applications published on hacked app resources. And anyone can install those apps for free. So my question is: How to protect application from dumping into memory, running in debug mode and making hacked ipsw bundle? Is there source examples for that? ...