ASP.NET Security: Hashing User Passwords

One of the best security practices concerning any web application that requires user authentication is to encrypt a user's password in the database. However, I take this a step further which is also a best practice, it is a one-way encryption. This means nobody will ever know the user's password, which is how it should be. He/she may be using it somewhere else.

Think about this the next time you go to a website and they have a method of sending you your original password. This is bad. This means either 1) they are not encrypting your password, or 2) it is being encrypted such that it can be decrypted back to its original value. Either way, this is a bad practice.

This is totally unacceptable to me. I won't create an application unless the passwords are encrypted using a one-way hash. If the person loses her password, she will need to be sent a new one in which case the password will need to be changed upon the next logon.

This one-way password hashing is built right into the .NET Framework, so you don't have to go out and buy a product. Upon registration, the user enters in the password and you create a random set of characters, typically called a salt, and then hash the password with the salt and store it in a database. Code snippets are as such:

  private static string CreateSalt(int size)

  {

   //Generate a cryptographic random number.

   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

   byte[] buff = new byte[size];

   rng.GetBytes(buff);

   // Return a Base64 string representation of the random number.

   return Convert.ToBase64String(buff);

  }

private static string CreatePasswordHash(string pwd, string salt)

  {

   string saltAndPwd = String.Concat(pwd, salt);

   string hashedPwd = 

    FormsAuthentication.HashPasswordForStoringInConfigFile(

    saltAndPwd, "sha1");

   return hashedPwd;

  }

Store the PasswordHash and salt in the database in the user's account.

Then, when the user attempts to logon the next time, grab the salt from the database and hash it as usual with the password provided by the user during logon and compare that value to the PasswordHash in the database. If they are the same, the user provided the correct password (whatever that may be). If they are not the same, the password entered was incorrect.

These are common ASP.NET security routines that should be in your own personal library for use over and over again. Keep the database specific details out of the library as the actual database and table schemas may change from project to project. Just pass in variables representing the user supplied username and password and the HashedPassword and Salt in the user database. Build these good security practices once and re-use over and over again.

How to protect your computer from hackers, spyware and viruses

This post has been inspired by the situation of one of my cousin’s computers in India. I recently made a trip there and since I’m in the IT field, she asked me to take a look at her computer since it was acting “funny”. The “funny” act was that the computer would automatically restart whenever you tried to install ANY software onto it or download any program from the Internet. First thing I noticed was that there was no anti-virus software installed on the computer, so my first goal was to install AVG anti-virus and check for viruses. But of course, the virus that was already on the computer would not let me install or download anything! Smart virus! To make a long story short (and I mean a LONG story), there were 2256 viruses on the computer and 110 instances of spyware. I have never even heard of such a ludicrous number of viruses on a computer before!

Most of the viruses on the computer were hidden in files that had been downloaded off the Internet: songs, videos, and movies. I was amazingly surprised that the computer lasted for 2 years with that many viruses! So I gave my dear cousin a serious lesson in how to protect her computer from the dangers of the Internet and I will go through them here for anyone else who might be interested!

This is by no means a comprehensive list, so if you have any suggestions, please feel free to comment and I’ll add them on!

1. Install Anti-Virus Software - This should not even have to be listed, if you don’t have anti-virus software installed, you’re asking for trouble! And if your reason for not installing anti-virus software is because it’s too expensive, then that can reason can be shot down because there are several free anti-virus programs out there that are considered better than commercial software packages. Here are two of the most popular ones:

AVG Anti-Virus – Very good and completely free.

Avast Anti-Virus – Almost on par with AVG.

Kaspersky Anti-Virus – Not free, but one of the best detection rates.

2. Update All Software - Installing an anti-virus program by itself is not enough. There are hundreds of new threats that are found daily and the anti-virus programs release updates regularly to combat the new threats. Make sure you anti-virus program is set to update automatically so that you don’t have to rely on your memory to do it. Also, this goes for all the software on your computer. The most important software to keep up to date is your Windows operating system. It is essential to have Automatic Updates turned on and set to download and install updates automatically.

3. Install only Trusted Software - If you’re not sure what a piece of software does from it’s name, then don’t install it. Also, don’t install anything you didn’t intend to install in the first place. Sometimes programs will ask you to install other programs during the install of the first application. Be careful of that because it’s usually spyware. Install software from big names sites only, such as Microsoft or Adobe.

4. Avoid P2P File Sharing Software – If used with great caution, P2P software is quite useful for movies, songs and software, but if you’re not very technically savvy, you might end up downloading a song that has a keystroke logger attached to it that will send anything you type to some other computer over the Internet. It’s almost impossible to tell that this is occurring unless your anti-virus or anti-spyware programs pick it up in their scans.

5. Delete Unknown Emails – If you receive emails from random people’s names, do not bother to open the email, just delete it. If you have any doubts after reading the name and the subject, it’s probably not someone you know. Never download or open attachments unless you are sure it’s from someone you know. Give the person a call quickly and ask them if you’re not sure. Most large companies that you create online accounts with will not send you attachments unless you specifically ask for them through their web site. Also, be wary of any emails from sites pretending to be banks, auction sites, etc asking for you to verify bank account info or address info. No bank ever does that.

6. Do not click on Ads - Avoid clicking on ads if you can. Especially those ads where something is flying around and if you shoot the duck, you win some prize! Ads have become more sophisticated in that they try to make the ad interactive so that you’ll be tempted to play it like a game.

7. Run Virus Scans Regularly – If you’re not in the mood to scan every day, at least run a scan once a week. Actually, setup a schedule for your computer in your anti-virus software to run a scan late at night or whenever you don’t use your computer and that way you won’t be bothered with a slow computer.

8. Be careful what you attach to your computer – This is a more common way to transfer viruses than you might think. Everyone now has a USB flash stick that they carry around on their key chains, ready to snap into any computer. But who knows what your viruses are on your friends computers and what accidentally got transferred to their USB stick. A lot of virus programs will auto launch right when the USB stick is put into the computer, so you don’t even have to open or download any of the files to be infected.

9. Avoid Shady Web Sites – If you need to look at porn, then make sure you do it in a virtual environment. You are DEFINITELY going to get some virus or spyware if you browse porn sites on your computer. Virtualization basically allows you to run programs like Internet Explorer in a virtual environment that does not effect your current operating system. If you want to find out more, search for “Virtual PC” or “VM Ware” in Google. Otherwise, simply avoid going to shady web sites!

10. Turn On or Install a Firewall - If you’re running Windows XP, make sure Windows Firewall is turned on. A firewall prevents hackers from gaining access to your computer by limiting the number of ports that are open to the public. Also, when buying a wireless router, make sure it has a built in firewall. Having a software and hardware firewall is better than just having one or the other.

11. Secure Your Wireless Network – Most wireless routers are set to no security when you install them. Be sure to log into the router and at least set the basic security that requires a password. There are stronger encryption options, but if you don’t understand those, then simply set a password on the router, otherwise anyone can connect to your home network and access everything.

12. Use a Complex Password for Login – This means that you should already have a password to login to your computer. Not having a password at all is not a good idea. Create a password for all user accounts and make sure it’s complex. Complex means it should have numbers, upper case characters, lower case characters, and symbols. This makes it way more difficult for a hacker to get into your computer.

Computer Viruses: How-To Protect Against Computer Viruses

Please add this to the first paragraph to make it look like this: Computer virus... The words "I Love You" can be scary enough without a virus attached. Computer viruses are on the rise and doing more damage than ever. Last year the "I Love You" virus wound its way through thousands of computers, shutting down entire e-mail systems for some companies. Imagine the culprit in his lonesome house in the middle of nowhere creating internet killer bugs with limited broadband access causing major damage and chaos in the world wide web. Over the past decade, countless businesses have found their priceless data corrupted or destroyed by these malicious computer programs, which can lurk undetected in innocent files for months before doing their dirty work.  Worse, existing computer viruses can mutate just like their biological cousins, increasing their destructive potential and becoming more resistant to antivirus software and other countermeasures.  15 out of every 1,000 PCs are hit by a virus each month. - ICSA Labs survey With well over 10,000 viruses out there and the production of new viruses climbing to over 200 per month (International Computer Security Association), it's more important than ever to protect your valuable equipment and data from virus attacks.

The Best Defense: How-To Protect Against Computer Viruses Preventing a viral infection of your computer is much easier than eliminating one you have already contracted. With so many offenders floating  If your computer contracts the Michaelangelo virus, it will strike on March 6 - the artist's birthday.  about, it may seem impossible to avoid them. But  there are a number of simple precautions you can take: 1. Avoid Unknown Attachments. Nowadays, most viruses are spread via e-mail attachments which, thankfully, can only become active when the attachment is opened or unzipped. While you cannot contract a virus just by receiving e-mail, it is a good idea to delete messages containing attachments if you do not know the sender, or if the subject line includes a tempting phrase like “Here is the file I promised you.”   2. Avoid Bootleg or Pirated Software. With popular software packages running upwards of $200, it can be hard to resist the lure of the bootleg versions freely available on Internet file sharing utilities such as FreeNet and Gnutella.  Virus writers take advantage of the insatiable market for bootlegs to disseminate their creations across the Internet and around the world. 3. Treat Floppy Disks and CDs With Suspicion. Prior to the mid-1990s, most computer viruses were spread via infected floppy disks. While floppy disks aren't inherently evil, as they pass  through many hands and many computers, they have  an increasingly greater chance of becoming infected by a virus - one that will then infest your system. New technologies such as CD burners (recorders) also open new doors for viruses to slip through.Homemade CD-RW disks (CDs which can be re-written using a burner) with unknown pedigrees can also be a source of infection. 4. Back It Up.  Along with hardware failure, theft and acts of God or Nature, the possibility of viral infection is just one more reason to back up your data regularly.  For Windows users, once you have chosen a backup medium (floppy disk, zip disk, CD-RW, tape drive), you can set up the Task Scheduler in Windows 95/98 to perform automatic backups on a daily, weekly or monthly basis. Still, you should always keep the last and the next-to-the-last backups in case you need to restore files that have been corrupted.  5. Purchase Antivirus Software. Most antivirus software packages offer an automatic background protection mode, which will detect and clean out infections as they appear. If you don’t have this option, be sure to use the software to scan any and all Internet downloads, e-mail attachments and foreign disks before you open or run them. (More information on antiviral software is coming up in the next sections.)  Research shows that the average computer virus programmer is 14-24, talented, intelligent, and "driven by a rebellious, adolescent need to call attention to himself." - (www.uselessknowledge.com) 6. Check System Requirements. The last thing you need is to trek out, buy the software, trek back, try to install it and get a nasty error message saying "Unable to install program. You need Windows version XYZ." For example, the Windows 98 version of Symantec's Norton AntiVirus may not work on an NT 2000 system. Make sure you check the minimum system requirements and platform on the package before you buy to make sure you get the right version.  7. Scan All Drives. Once you've purchased and installed the software, schedule regular scans. Most virus scan programs are set to automatically scan the C: Drive first. It's easy to think you're home free when no viruses are found. Make sure you set the program to check all drives, including e-mail programs, as many viruses are delivered through e-mail attachments and Internet files, and spread through shared documents.  9. Update Often. For optimum protection, antivirus software must be updated on a monthly basis so that it can recognize and eradicate new bugs as they make the rounds. The updates can usually be found on the software company’s Web site, but if you need reminding, many packages will allow you to schedule automatic updates. Still, you should never assume that your antiviral software offers complete protection from infection, and you should continue to take basic safe computing precautions.

How To Protect USB Drive From Virus When Attached To Infected Computer

Have you ever attached a USB to a computer and later found out that the drive is infected by a virus? I have definitely faced this situation many times. If you attach your USB drive to the infected computer the virus is transferred to the drive in no time infecting all the important documents in USB drive too, depending on the nature of the virus you may loose important data from the USB drive and never recover them back. But there is a solution to protect your USB drive from virus infection when it is connected to already infected computer.

If you make your USB drive into non writable mode then any kind of data can’t be written to it which means that if a virus infected computer is going to transmit any virus to drive, it won’t be able to because USB drive is write protected.

Write Protect Switch

Certain USB flash drives comes with write protector switch in them, using which you can write protect the USB flash / pen drive or make them read only drives. If the write protect feature is missing in the USB flash / pen drive then you can use USB Write Protector utility.

ThumbScrew

Thumbscrew is a freeware application that lets you write protect your USB drive so that virus, Malware, Trojan or any kind of infection from host computer would not be able to write anything on your USB.

Now right click the system try icon and choose  Make USB read only. This would make the USB drive write protected which makes it completely protected from infections to to spread onto your drive.

USB Write Protector

USB Write Protector is another free utility that allows you make write protect your USB flash / pen drives just like Thumbscrew mentioned above. This is a very small utility that you can always carry with you in your portable drive.

By these applications your pen drive would be protected on that shared system but it is still recommended for you to use a quality antivirus software, and keep it updated regularly.

Top 5 Well Known Computer Hackers & Their Crimes

A computer hacker attempts to gain access without authorization to other people's computers or computer systems. These computer experts, choosing to use their skills for foul play commit various crimes, ranging from theft to disrupting computer services and operations. The Top 5 computer hackers caused millions of dollars in damages.

Jonathan James

At the age of 16, James was the first juvenile convicted and sent to prison for hacking. James targeted high-security organizations for his hacking amusement. His conquests included the Department of Defense, NASA and the Department of Justice, where he viewed classified materials and stole software valued at $1.7 million. James served a six-month sentence under house arrest, although an adult convicted of his crimes would serve a 10-year sentence.

Adrian Lamo

Lamo, known as the homeless hacker because he used public connections at libraries and Internet enabled coffee houses, committed hacking crimes involving penetration testing, finding security gaps in a company's computer system. He accessed personal information, such as social security numbers, and then brazenly informed his victims, including The New York Times, Yahoo!, Citigroup and Microsoft, of their system flaws. After his conviction, Lamo paid a $65,000 fine and sentenced to two years probation after serving home confinement for six months.

Kevin Mitnick

First arrested at the age of 17, Mitnick eventually became the most wanted computer criminal in the country. Mitnick hacked the systems of such well-known companies as Motorola, Fijitsu and Novell for the purpose of stealing software and damaging their machines. His final arrest came in 1995, and he served four years for computer crimes. Mitnick authored two books, including "The Art of Intrusion." Hollywood produced a movie based on his hacking activities called, "Takedown." Today, Mitnick operates a computer security firm.

Robert Morris

As a student in Cornell University in 1988, Robert T. Morris created the first computer worm, a virus that spreads via the Internet. His claims that the worm began simply as an experiment that spiraled out of his control did not persuade prosecutors, who pointed out the significant loss of time and money his creation caused. Morris served three years of probation along with community service and paid a fine of $10,000. Morris went on to create a company that sold online software products, which Yahoo! Purchased in 1998 for $45 million. Today, Morris works at M.I.T. as a professor in their computer science and artificial intelligence laboratory.

Kevin Poulsen

In 1990, radio station 102.7 FM in Los Angeles hosted a contest, awarding a free Porsche to the 102nd caller of the day. Poulsen, having already hacked into the station's phone lines arranged to become that caller. He later went on to hack computer systems of the FBI and the Defense Department. Arrested in 1991, after seventeen months of hiding, he received a sentence of 51 months, the longest sentence ever given for computer crimes at that time. Today, Poulsen writes professionally.

What do hackers do with the information they steal?

A question that we hear a lot when it comes to cyber-crime: What are hackers after, anyways?

There are a lot of different types of hackers and computer scammers out there, so there’s no one answer. Some of them are just practical jokers, some use viruses to get revenge on the company they were fired from, or just to bother random people online. The main reason hacking exists, however, is that it’s a great way to make a dishonest living by stealing information from unsuspecting users.

If you have the know how, the time, and the lack of moral scruples, it’s really not that hard to crack into someone’s computer with a spybot and monitor their activity, or even to take control of their computer from afar and look right into their files.

So now the question becomes “Why?” Why do hackers want that information so badly?

There are a number of things a hacker can do with the information they steal from you. The most obvious example would be, of course, that they can steal your financial information or your identity, using your credit card number to buy whatever they like or even getting into your bank account.

That’s the scariest kind of hacker, anyways, but even if you don’t have any of your financial information on your PC, you’re still a target for info and identity theft.

Besides outright stealing your identity and spending your hard earned money for you, many hackers will settle for some more mundane details, such as using spyware to look at your browser history, email, internet proxy, anything they can get ahold of, and then selling that to unscrupulous advertisers who flood your inbox with spam and fill your screen with pop ups.

Back when computers were more of a hobby than a serious part of one’s every day life, we really didn’t have much info on our PCs worth stealing. In those days, viruses were relatively benign. Maybe they’d make your computer do something weird, maybe pop up an image or a message, like THE CREEPER, the first computer virus, which simply made your computer monitor read “I’M THE CREEPER, CATCH ME IF YOU CAN”, for the most part, they were harmless practical jokes.

There still are those practical joker hackers out there, but what hacking has largely become is an illegal multimillion dollar a year industry, a great way for con artists to make a quick buck without even having to put themselves at risk by lying to your face.

The bottom line is that hackers want money, and they don’t care how they get it. If they can take your bank account information, they will, and if they can’t, they’ll settle for some personal info to sell to spammers.

Luckily, a good security program will generally protect you from most hackers, but they’re working ‘round the clock to figure out how to bypass your security measures, how to find new weak points, so it’s important that the methods you use to protect yourself evolve at a faster pace than that of the hacker’s methods.