Some of my friends say I'm mad because I usually have a different password for each website, service or system I register into. And while I understand that it is not easy, having at least different passwords for important sites, normal sites and crappy sites (the more levels the better). But even if you have a few "shared" passwords, there are some rules that for me are pretty basic and critical to ensure security of your "online accounts".
I use a password safe software to store all the different website passwords. My recommendation is to check in detail what encryption algorithms it implements, how portable it is (USB drive/portable version, PDA/phone readonly version to check passwords wherever you are...), and of course, setup a really hard and strong password on the safe! Mine is around 30 characters long, including all kind of characters. Remember that it will store everything so has to be the hardest password to crack!
It should have too a lockdown timer, so if you forget to close it, auto-shutsdown in X minutes.
The weakest point in the security chain is always the human factor, so try to harden it!
Time for another review, PasswordsPro. PasswordsPro is a "passwords safe" tool, similar to another application I use, Flexwallet/eWallet. It allows storing sensitive passwords (like website or email account ones) in an encrypted file.
The interface is very simple: We choose a passwords file, enter it's master password, and then manage the list of passwords and secure notes (more on this later). There is no categorization so with a huge list of passwords it might get a bit messy, but nothing we can't control by adding more info to the names.
The info for each password is the typical as we can see in the screenshot just above. There's no type/scope options, but we can store notes for each individual password (and so, use this as a manual "custom fields" section).
Apart from passwords, we can store "secure notes" too.
As the name hints, they are just a list of text notes. Simple, but not available on other password safe programs, and interesting to not only store passwords but sensitive info.
Apart from this features, PasswordsPro supports inactivity protection, another usual feature that allows to auto-close the application after not being used for a given time (so you don't have to worry leaving opened your safe lists).
And the last nice feature, the application supports being used as a portable app from a usb disk, just copying the .exe, a .dll and your license file.
My only real complaint about this application is that I haven't found any details of what encryption algorithms are used, just "PasswordsPro uses encryption algorithms that are standard in the industry having a strong level of security".
IT's been a long time since my last security-related post, but from time to time I'm assigned small tasks related to it. Last one, just finished today, was doing some research and proof of concepts about ISAPI filters for a spanish company, to harden their servers and protect them from XSS and SQL Injection.
One of my colleages and I did some research and found some filters, both free and commercial (and some a bit outdated). After trying one commercial, it proved crap. It couldn't even capture right way the parameters (was taking the URI instead of full URL, so querystring was ignored, to give one of multiple examples). We grew desperate and started searching for more filters like Mod_rewrite in Apache.
That was, until we came across Ionic's Isapi Rewrite Filter (IIRF), an opensource ISAPI filter written in Visual C++, which uses Perl-compatible regular expressions to define the rules and conditions for rewriting (or redirecting) URLs.
The installation is simple, so I won't go deep on it (read the included readme.txt, it is just adding a new ISAPI filter to IIS pointing to the filter's DLL file).
Interesting stuff comes after that, configuring the IsapiRewrite4.ini, which holds all the regular expressions (rules) for matching and replacing.
They are used much like the mentioned before Mod_rewrite, allowing for quite interesting stuff. Here are a few simple examples:
RewriteRule (.*)(<|%3c)(script|%73%63%72%69%70%74)(>|%3e)(.*) /incorrecturl.aspx [I,L]
This rule blocks all <script> tags (either normal or URL-encoded), ignoring case ([I] modifier)
RewriteRule (.*)%00(.*) $1$2 [I]
This rule avoids nulls, used for example to avoid detection of tags, for example: javas%00cript:
Note: Here the [L] modifier is omited to allow multiple replacements (if placed it would only remove the first null found)
RewriteRule (.*)eval(\(|%28)(.*) /incorrecturl.aspx [I,L]
Same as the first one, this time with the "eval(" javascript function start.
This are just but a few rules, for a (quite large) list of common and not so common XSS attacks, you can check any XSS cheat-sheet.
Today a small post that I had in mind since some time... a quick-list of how to fortify against SQL Injection (and some more general best practices).
I think I'm not letting anything out... but if it happens, I'll update the post. Comments will be appreciated ;)
My dog woke me up a bit early so nothing better than a few security articles and slides to start the day. This is what I'm reading right now:
- The Silverlight security model (Parts I, II and III)
- MS Access SQL Injection Cheat Sheet
- LDAP & Blind LDAP Injection (in spanish)
- XPath Injection, Brute Forcing & cracking paper (in spanish)
- And an extra non-security one: Revisiting Programming Fonts