Welcome to Sign in | Join | Help

Browse by Tags

All Tags » computer security   (RSS)
Some time ago, I wrote a post that announced the availability of the account activity history page (which I will call for short "activity page"). Today I want to discuss the use of the activity page in relation to the notification messages we send for Read More...
I am breaking silence after a long pause. I have not had much information to share here as I have mostly worked on infrastructure services with no customer facing surface. Since 2011, I have been working in Microsoft account, the authentication service Read More...
Long time, no posting, but here is a security related news article that drew my attention: http://www.bernama.com.my/bernama/v5/newsworld.php?id=607450 A security breach at one of South Korea's top Web portals basically led to the loss of personal data Read More...
Here's an interesting older article from Bruce Schneier on securing data at rest , which goes over some of the points I mentioned earlier in my Who needs encryption? post. Read More...
This post is based on an old presentation I gave several years back. A video of the presentation used to be available here , but today I couldn't get it to work, so I am attempting to make available most of the information from the presentation within Read More...
A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular Read More...
I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty Read More...
A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search Read More...
This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links. Read More...
I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen Read More...
Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than A. Read More...
I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Read More...
A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I'd like to add a few comments on Read More...
More Posts Next page »