Tag: security

ASP.NET Membership Log Out

My boss likes to say “never use the words ‘simple’ or ‘easy’ in our line of work” and today was one of those days that demonstrates exactly why he loves this saying.

We were asked to setup an auto logout feature that redirects to the login screen. I’ve done so much Windows Authentication work that I’ve never actually had to build this functionality. I went straight to my favorite search engine and I found the following code.


Everyone was commenting about how this worked great and lo and behold it wasn’t working. More research and I found an article that explained that the above neglected to clear cookies sometimes and that to 100% ensure a sign out you should clear the forms authentication and session cookies.

The following code is what I ended up using in our application. It only expires the cookies that are forms authentication and session related.


var cookies = new List<string>

foreach (var cookie in cookies)
    if (Request.Cookies.AllKeys.Contains(cookie))
        Request.Cookies[cookie].Expires = DateTime.Now.AddYears(-1);


Wireless Security Tip: Don’t Connect Automatically

I have a quick tip that will exponentially increase your laptop, tablet, or even phone security. When you’re setting up your wireless connections, there are 2 options that you should never turn on: 1) “connect automatically when this network is in range” or “start this connection automatically” and 2) “connect even if the network is not broadcasting”.

You can blame hidden wireless networks for this gaping security hole. The How-To Geek has a really good article explaining why you shouldn’t use hidden wireless networks.

Why should I turn off these convenience features?

When you use the auto connect features of WiFi, your device will seek out the wireless connection. In the process of seeking out the connection, it also broadcasts the connection information. Devices such as WiFi Pineapples can be built to scan for the broadcasts coming from your devices. Once it has found a device, it automatically configures a matching connection and allows you to connect. Once you’re connected, your internet traffic can be monitored.

The following comes directly from the product information of Hak5’s WiFi Pineapple:

You see most laptops have network software that automatically connects to access points they remember. This convenient feature is what gets you online without effort when you turn on your computer at home, the office, coffee shops or airports you frequent.

Simply put, when your computer turns on the wireless radio send out out beacons. These beacons say “Is such-and-such wireless network around?” Jasager, German for “The Yes Man”, replies to these beacons and says “Sure, I’m such-and-such wireless access point – let’s get you online!”

Of course all of the Internet traffic flowing through the pineapple such as e-mail, instant messages and browser sessions are easily viewed or even modified by the pineapple holder.

Secure Computing: Up-To-Date Anti-Virus

What is the number one reason why most people with virus prevention programs installed on their computer become infected? The answer is quite simple. The virus prevention software isn’t kept up-to-date.

Anti-virus software is only as good as its virus definition database and its detection software. Commercial anti-virus vendors only provide adequate updates to the virus definition and the detection software as long as the customer has paid for the updates. Today, most vendors provide 1 year of updates with the purchase of their products and many consumers choose not to renew update subscriptions after the initial period. Unfortunately, by not extending subscriptions consumers leave their computers at risk of infection.

Fortunately, free anti-virus vendors have been getting better and better reviews giving consumers another solution. There are three free anti-virus solutions that I would recommend: AntiVir Personal, Avast Home Edition, and AVG Free. These all have comparable features, free updates, and you can checkout http://www.av-comparatives.org/ for comparisons of their effectiveness against malicious code.

Phishing and Pharming, Awareness and Prevention

Argueably one of the main security topics in recent years has been the onset and prevalence of phishing and pharming scams. Unfortunately, while many end users have heard of these threats, they remain unaware of the severity of these very dangerous scams. Users should educate themselves not only on prevention techniques but also on the scams’ processes. This article is meant to provide users with a non-technical explanation of phishing and pharming, as well as prevention techniques


Phishing is a form of identity theft in which phishers, people that use phishing, create websites that appear to belong to legitimate companies. Phishers usually draw users to these fraudulent sites by sending websites links in authentic-looking emails, which could even include the real company’s logo. If a user is drawn to the phisher’s website and submits his or her personal information, the information is submitted to the phisher.

For example, a user receives a fake email supposedly from Bank XYZ with a link back to the site asking you to click on the link. That user then clicks the link and is sent to a page which looks like the XYZ login page but the address in the address bar at the top of the browser is not correct. When the user types in his or her user information, they aren’t logged into XYZ but instead the phisher now has his or her user information and can log into their XYZ account.

Pharming (aka Domain Spoofing)

Pharming occurs when a hacker “poisons” the domain name, or web address (www.google.com, http://www.yahoo.com, etc), of a website and redirects users from the “poisoned” website to another website usually owned by the hacker. Once at the hacker’s site, the pharming process is identical to phishing. Users submit information to the hacker’s site but are truly submitting their information directly to the hacker.

Unfortunately, this technique can cause large groups of users to be driven to fraudulent sites even if they type in the correct URL, or web address. The larger the website address “poisoned” the larger the pharming scam. For example, if http://www.google.com has been “poisoned,” when you type in http://www.xyz.com you would not be taken to the real XYZ page but one of the hacker’s choosing. If the page is created to look the same as the real site then it may be hard to tell that pharming has occurred since the address bar will still say http://www.xyz.com.

Phishing and Pharming Prevention

** As a general rule NEVER click a web address inside of an email. Even though the email seems to be from someone you know or an organization you know to be safe simply open your browser (Internet Explorer, Firefox, etc.) and navigate to the website without using the link in the email.

  • Phishing

1) Watch the address bar! Phishing does not disguise the URL in the address bar so you will be able to see the difference in the address bar at the top of your browser. If phishing is occurring the URL, or web address, will be incorrect.

2) If you think that you may have fallen victim to this, the best advice is to login to the real website and change your password. This will negate the information that the phisher obtained but I must stress that this be done immediately so as not to give the phisher time to change your password or collect your information.

  • Pharming

1) You CANNOT rely on the address bar. The address bar will look correct but you will not be on the website that it says.

2) Check names on authentication certificates. If the name doesn’t match the site you want to go to, leave the site and contact a tech to verify the authenticity of a site.