Deal with top security vulnerabilities

Cross-site request forgery is an attack in which an attacker coerces a user to perform an action the user did not intend to, on a server the attacker has no control over.
For this reason, cross-site request forgery (or CSRF) is often referred to as a drive by attack. As a user drives by an attacker-controlled site, their browser is told to do things on a different, target website. When you visited the exploited page, JavaScript posted a transfer request to your website. In 2013 a CSRF attack on Facebook could let an attacker take over a user's account by targeting Facebook's email change functionality. CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, and Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation. More...

Security versus privacy in software

Security often supports privacy, and that’s true. If you maintain security effectively, you can protect the confidentiality and integrity of data, and that is good for the privacy of the data subject. But security is often opposed to privacy, because the primary interest as regards security is: who did what, when? There are tools that allow you to ask that question—logs. When you activate logging tools to monitor your network, you capture packets. Security in that context is basically surveillance. When you are engaging in surveillance, of course, it can be an invasion of privacy. And so that tension exists. Keeping your family, your computer and your identity safe is an essential task in our online world. You are responsible for knowing what type of information you are handling. More...

ASP.NET security hole patch

Microsoft has published a Security Advisory (2416728) about security vulnerability in ASP.NET on Saturday, September 18th. This vulnerability exists in all versions of ASP.NET and was publically disclosed late Friday at a security conference. Scott Guthrie has provided information on workarounds (please see Important: ASP.NET Security Vulnerability and ASP.NET Security Vulnerability) to prevent attackers from using this security hole against their ASP.NETMore...