Fred Cohen, a person who defined term virus 20 years ago, goes on crusade against popular misconceptions about security:

• That sounds like an 'academic' view
• That's a Socialistic View
• We have a firewall/intrusion detection system/virus scanner that will take care of it.
• Nobody would be interested in hacking us.
• "IT is responsible for security" - statement by the CEO.
• "I use my children's names and passwords for all my passwords on all my accounts as I know the IT people make it safe".
• We don't have to worry about viruses because [fill in the blank] - typically "we only use Macs", "we only use Linux", "we don't use shareware".
• "We don't want to establish security policies, since that would upset the employees."
• You consider *availability* to be a part of security?
• Why waste money on intrusion detection? We've never seen a compromise or even an attack.
• We use SSL, so our web site is secure.
• We were certified by [PLACE NAME HERE] so we must be secure.

10:55:58 PM    

Fascinating article outlining the presentation of Yahoo's chief scientist from IEEE's Symposium on Security and Privacy. Surprisingly (or not) big service providers' security issues revolve around users cheating their way through the systems or "violations and exploitations of the service". Examples of such attacks include spam, ratings forgery in auction sites, rankings forgery on game sites, sneaking advertiser's content into forums, misusing redirect service, screen scaping and re-selling content, DoSing other bidders in the auction through password attack or social engineering into other user's mailbox.

Similar pecularities exist in most systems with public user population. Most dangerous attacks are generally done on the application level. Just ask financial industry! Not hackers, but business users fiddling with accounts were the biggest threat. And now, as all applications are on the web you can fiddle with them too. Great, isn't it?

Network security is more or less commodity nowadays. Firewalls, O/S hardening, IDS, SSL. The interesting things happen at the application layer.

10:26:58 PM    

First off, there is System.Security.Cryptography namespace of the Microsoft .NET CLR:

This namespace allows programmatic access to a variety of cryptographic services that you can incorporate into your applications to encrypt and decrypt data, ensure data integrity, and handle digital signatures and certificates. [MSDN via Sam Gentile's Radio Weblog ]

The namespace provides RSA, DSA, DES, TripleDES, RC2, MD5, SHA1, SHA256, SHA384, SHA512, HMACSHA1, MACTripleDES algorithms, basic facilities to handle Authenticode certificates and XMLDSIG implementation.

Then there is ASP.NET that provides:

... support for common HTTP authentication schemes including support for Basic, Digest, NTLM, Kerberos, and SSL/TLS client certificates.ASP.NET also supports Microsoft Passport authentication and provides a convenient implementation of Forms-based (Cookie) authentication [GotDotNet]

Since ASP.NET does not support SSL/TLS beyond http, open-source SSL implementation may come handy.

9:18:17 PM