Fasthosts, ''the UK's number 1 web host'' (by self acclamation I'm sure) is in the news today because apparently all of their customers' passwords (in plaintext) were compromised by a security breach.  They've asked all of their customers to change their passwords immediately, and of course since many people use the same passwords on ...

Wow, even Slashdot, anti-Microsoft capital of the Web, acknowledges that six months after its release, Vista Security is still besting Linux.  From the site: ''Great report on security vulnerabilities for MS/Linux/OS X. This is a revised version of the one Jeff Jones did back on March 21: Windows Vista — 90 Day Vulnerability Report. This ...

Michael Sutton recently blogged on creating a SQL Injection Attack crawler app that used Google to locate sites thar were susceptible to SQL Injection attacks. Scott Guthrie mentions the post in his blog.  Take a look at Michael's and Scott's posts. Very scary stuff. I guess I thought everyone knew this stuff already but then again it ...

Recently, a question came up in the ASP.NET security forums about the lack of a remote membership/role configuration tool in ASP.NET 2.0.  Being able to remotely manage users is important in pretty much any site where you have users.  Fortunately, QualityData has stepped in and developed that plus a little more in their ...

In a previous post (http://aspadvice.com/blogs/rjdudley/archive/2005/05/21/2595.aspx), I showed one way to protect files from direct download by configuring IIS.  In a shared hosting environment, this usually isn't possible, so I'll show another way to protect these files. First, a little review.  Out of the box, only certain file types ...

Today's NewsFactor Network showed up in my inbox, and the lead story was: ------------------------------------------------------------ 1. E-Mail Authentication: Holy Grail or Lost Cause? ------------------------------------------------------------ Originally, e-mail was never designed to do anything more than deliver text messages. But ...

My latest ASP Alliance article has been published: A Simple Passphrase Generator Passphrases have been receiving more and more attention as part of a strong security policy. When building secure web-based applications, assigning random passphrases to new user accounts can be a bit of a challenge. In this article, we'll build a simple passphrase ...

My latest ASP Alliance article has been published today: Preventing Page Review after Logout with Forms Authentication The inclusion of Forms Authentication in the .NET Framework has been a significant benefit to developers securing web-based applications. While pages can be secured server-side, local caching by browsers and proxy servers may ...

We all should be familiar with the fact that concatenating user input directly into SQL statements is an open invitation to an SQL Injection attack.  Code such asMySql = ''Select * from Orders where Customer ID=''' & txtCustomerId & '''''should be avoided.  If you need some more background information on SQL Injection attacks, I am building a ...

Microsoft MVP Susan ''The SBS Diva'' Bradley gives a short overview about sending encrypted e-mails.  In her post, she says you have to purchase a digital certificate.  From some certificate authorities, you may have to do so, but Thawte offers free certificates for e-mail through their Web of Trust program.  When your certificate ...