ASP .NET Tracing, as any other debugging feature supported by any server product, should be disabled in production environments. There are many configuration settings that can be dangerous when used in live ASP.NET environments. Some examples include leaving the default debug errors enabled (<customerrors mode="Off">) which can disclose a wealth of information that could aid attackers launch SQL injection attacks (just to mention one example).<customerrors mode="Off"> </custome... read more

The recent case of a Wand corporation help desk team member, who has plead guilty to sabotaging the Wand network again highlights the threat of internal attacks. As the UK and the world is experiencing an extended recession, potentially with IT and other staff being made redundant. Human Resource (HR) procedures and security systems need to be in place, to cope with the increased risk from internal attacks. Human resources are responsible for running background checks and vetting new staff m... read more

So, version 1.2 of the PCI DSS standard has finally been released. No big jump to a version 2.0 just yet, so we weren’t expecting too many alterations. Wikipedia states that “v1.2 did not change requirements, only enhanced clarity, improved flexibility, and addressed evolving risks/threats.” I would like to address their addressing of one particular evolving risk, namely their “enforcement” of moving from WEP to WPA – Possibly in response to recent incidents. The changes were nicely detail... read more

Contrary to popular belief, password cracking is not an activity only performed by criminals such as crackers. Password cracking, AKA password recovery or password auditing, is a must-have skill for both penetration testers and computer forensic specialists. Quite often I get asked, "can someone brute-force my PGP private key?". The answer is of course: yes! Unlocking a private key by entering a passphrase is a local process, which occurs on the user's computer. In other words, there is... read more

Plenty of past ProCheckUp pen-tests have provided examples of poor password policies; however in one particular test we saw an interesting variant of this all-too-common problem. Typical password generators these days will make some attempt to generate a pseudo-random alpha-numeric string - perhaps not always the longest of strings but still a good effort. An example we found, on a web application for financial organizations, took an unfortunate step backwards. The application's password r... read more