Are there any options for secure email?
Are there any good and easy to use options for sending secure email? Why is this not commonplace? ...
security
Sending e-mail out of client application without storing password
My Aim: Sending an email (e.g. support request, error report) out of a C# Windows forms application. I know how do do this technically but here is the catch: In order to authenticate myself on the mail server (e.g. gmx, yahoo, own website) I need to store the login details inside the application (which runs on the client system). If som...
Reading the local password policy programmatically.
Are there Windows API functions that allows reading what the current password policy is? For instance, minimum length, complexity etc. If not reading, is there a way to verify a password against the policy programmatically? ...
Audit trails and implementing SOX/HIPAA/etc, best practices for sensitive data
I consider myself to be relatively proficient in terms of application design, but I've never had to work with sensitive data. I've been wondering about what the best practices were for audit trails and how exactly one should implement them. I don't have to do it right now, but it'd be nice to be able to confidently talk with a medical co...
How is this MySQL query vulnerable to SQL injection?
In a comment on a previous question, someone said that the following sql statement opens me up to sql injection: select ss.*, se.name as engine, ss.last_run_at + interval ss.refresh_frequency day as next_run_at, se.logo_name from searches ss join search_engines se on ss.engine_id = se.id where ss.user_id='.$user_id.' group by...
How safe is Greasemonkey?
I've never actually used greasemonkey, but I was considering using it. Considering that GreaseMonkey allows you to let random people on the Internet change the behavior of your favorite websites, how safe can it be? Can they steal my passwords? Look at my private data? Do things I didn't want to do? How safe is Greasemonkey? Thanks ...
What replaces .htaccess on IIS/ASP.NET sites?
On Apache/PHP sites if I want to put a senstive file within my website folders, I put a .htaccess file in that folder so users can't download the sensitive file. Is there a similar practice for IIS/ASP.NET sites, i.e. if I have a shared hosting account and don't have access to IIS server. Can I do this in web.config for instance? e.g. ...
Is SSL really worth it?
I'm wondering if I should add an SSL layer between my server and client. I'm not handling any confidential data, but there is a very small chance someone might want to hack transmissions in order to gain intelligence (this is a game by the way). Now the ammounts of data to be processed is considerable when compared to a small website and...
Security implications of Request.ServerVariables("REMOTE_ADDR") vs Request.ServerVariables("HTTP_X_FORWARDED_FOR")
Let's say we're tracking the end-user IP for a web service: ip = Request.ServerVariables("HTTP_X_FORWARDED_FOR") If ip = "" Then ip = Request.ServerVariables("REMOTE_ADDR") End If I've read that this is the best method of retrieving end-user IP because it works even for users on a transparent proxy. If we're using the end-user IP...
Database files and ASP.NET Login controls.
I was trying the ASP.NET login control tutorial and everything works well. However, I do not know how to have the Log-in control use my own database (SQL Server 2005) instead of using it's mdf file. I also have no idea where this file was created from since it doesn't show up at all on my solution. Any literature that I can find on the w...
Security considerations when hosting signed jars
What are the security implications for hosting signed jars on the internet? As I understand jar signing, once a user choose to auto-accept a certificate, it doesn't matter if the signed jar came from your domain, linked from another domain or hosted on another domain. For example, Sun uses this method to give applets OpenGL support, by ...
To protect software by accessing harddisk serial no
I want to get the VB.NET or VB code to access the hard disk serial no when starting the program. It's to help me to protect my own software from people who try to pirate copies. ...
Disabling PUT TRACE DELETE request in Apache Tomcat 6.0
I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0. All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf, Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is n...
Signing a mixed mode C++ assembly
Can you sign a C++ CLI application that is partially managed and partially unmanaged? ...
scripts embedded in images
I run a small browser MMO, and I have a problem where a couple users are embedding scripts into their profile images, and using them to make attacks against said users, and my game in general. Is there a way to protect against this, or do I need to start blocking people from being able to use their own custom images? If it helps any, i...
Generating a token that I can prove I generated
I need to generate random tokens so that when I see them later I can determine absolutely that they were actually generated by me, i.e. it should be near impossible for anyone else to generate fake tokens. It's kind of like serial number generation except I don't need uniqueness. Actually, its a lot like a digital signature except I am t...
Why isn't my page redirecting to the login screen for this protected page?
Hi, I added the following to my web.config to redirect the user to the login page if they aren't authenticated, but going to the URL does cause a redirect? <location path="user/add"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> I have setup forms authen. lik...
Is there anyway to avoid this security issue in Lua?
I was just working on a localizable Lua string solution, when I came up with this hack, problem is I don't know how to avoid getting hacked by it :) So I was wondering if anyone, has done something similar and or knows how to protect from this kind of attack. (in user code) Since we can do this: =("foo"):upper() -->output: FOO It can...
Integrated authentication for mysql
When working with MSSQL on Windows I was used to a very convenient feature called integrated authentication. In short, being authenticated in Windows can give you access to the database, so no need to give any specific password. Now I am developing an application on Linux with no user interaction; this application needs to access a mysql...
What are the most common security mistakes programmers make?
There are the obvious wtfs that make the headlines such as SQL injection, authentication in JavaScript but are there other more fundamental and common errors programmmers tend to make when writing applications without considering security? ...