tag:blogger.com,1999:blog-187947992024-03-06T01:53:04.296+05:30Smart Security by Dharmesh M MehtaAn Application Security BlogDharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.comBlogger142125tag:blogger.com,1999:blog-18794799.post-89355341107838884922011-09-28T22:30:00.000+05:302011-09-28T22:30:06.177+05:30What do you say? Yes / No / Don't Care<script src="https://d39v39m55yawr.cloudfront.net/assets/clr.js" type="text/javascript"></script><br />
<a href="https://urtak.com/clr/j3gxxyodkinm1lejkswcirguwtqnd0lb">Mobile or Immobile</a>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-6200771387591278652011-07-27T16:02:00.000+05:302011-07-27T16:02:40.437+05:307 UID bogus centers shut downIn what comes as an addition to <a href="http://timesofindia.indiatimes.com/topic/fraud">fraud</a> incidents in the city, seven Unique Identification Centers were shut down by the civic corporation on Monday. The <a href="http://timesofindia.indiatimes.com/topic/Thane-Municipal-Corporation">Thane Municipal Corporation</a> (TMC) closed down these seven bogus <a href="http://timesofindia.indiatimes.com/topic/UID-centers">UID centers</a> where several citizens have already got their UID forms enrolled.<br />
<br />
However, the process will be declared as void as these centers are not legal. The seven mentioned centers were operating without any permission from the authorities since the past few months. Two centers in Panchpakhadi, Lokmanya Nagar and Khopat each and one center in Vrindavan society were shut down by the municipal corporation. The TMC has made it clear that citizens who enrolled themselves in these centers will not get their UID cards and will have to enroll themselves all over again at an authorised centre in the city.<br />
Informed sources from TMC maintained that Vakhrangee Software Ltd. was using a bank's name to provide UID cards to citizens and some Maharashtra Navnirman Sena activists were believed to be running the bogus centers. It is learnt that a corporator informed the civic body about the bogus centers following which the TMC took a stern action and Additional Commissioner of TMC, L R Gupta, summoned Rahul Devpal, the owner of the software agency. During interrogation, it was revealed that these centers were bogus.<br />
Many citizens have already enrolled themselves for the scheme but will again have to redo the process. A woman requesting anonymity said, "My son went to the center at Vrindavan Society and waited there for around four hours to get himself enrolled. All those efforts have proved futile. The civic body had opened 40 such centers in the city this year and each center enrolls 50 person's UID forms each day. The government had allotted the work to authorised banks, government undertaking organisations and others. The central government started the UID scheme which is also known as Aadhar to provide citizens a 12-digit identification number under the Unique Identification Authority of <a href="http://timesofindia.indiatimes.com/topic/India">India</a>.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-24675533182736629772011-07-26T22:40:00.000+05:302011-07-26T22:40:48.228+05:30Mobile Apps Security – Are you worried?<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;">Smart Mobile devices are now increasingly been adopted by the consumers and in the enterprise leading to a number of organizations interested in custom development of mobile applications. Software vendors developing mobile applications are on most occasions feeling enormous pressure to meet extremely tight Go to Market timelines. This often leaves security neglected or compromised.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">The trends already mention mobile apps taking a plight in the financial sector, with online banking, online trading apps. Security, although a prime driver for custom development, is one of the hardest aspects to get right. The industry is starting to see the security & privacy concerns in developing mobile applications. Initiatives and best practices are been released by groups like OWASP that have been addressing mobile security in a big way. There is a need to leverage the native security APIs of the platform, handle sensitive data with care, and choose the right data protection classes for the mobile application architecture. Let us make an attempt to look at few critical weaknesses you should be worried about while developing mobile applications. </span><br style="font-family: "Trebuchet MS",sans-serif;" /><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Data Stored on Mobile Devices</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">In most mobile application designs, it is observed that the mobile device stores or caches some information. Due to limited constraints on the</span> <span style="font-family: "Trebuchet MS",sans-serif;">space availability on today's mobile devices architects go ahead and exercise this option. People often default to storing the sensitive information too in clear text. Mobile platforms like Android and iOS are susceptible to rooting or jail breaking, which gives users unrestricted access to the underlying file system. Using this root level access, malicious users or malicious applications can easily retrieve the sensitive information stored on the device.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"></span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Weak Cryptography</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Data security is another concern when in transit or stored. While choosing to store sensitive data on mobile devices, designers often employ encryption techniques. Few platforms like iOS do provide API's to encrypt data; however, these platforms are yet to get a strong key management technique or protocol. Android too provides APIs for cryptographic primitives, but no built-in protocol for key management. Designers may find themselves having to make decisions about what to use to generate keys, how to use them, and where to store them. Often they end up selecting a strong encryption algorithm, but choose a poor key management protocols. When you have weak cryptography design and keys are stored on the device, shared between users, or hardcoded, they do not provide adequate protection to the data.</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"></span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Moving Substantial Business Logic Client Side</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">Designers tend to move a substantial amount of business logic to mobile devices unaware of it implications. When developing rich client applications, users are given direct access to a particular service, while maintaining a simple and attractive user experience. Incorporating business logic such as password re-verification can often lead to unexpected security issues. Like web based attacks, a malicious attacker could use a simple HTTP proxy that captures requests and responses and alter the response from the server to bypass security controls built in by the application’s logic. </span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;">Relying on Client Side Data Validation</span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;">In current business scenarios, users need to access enterprise applications both from the web and the mobile devices. Attackers have been abusing the weakness of client-side data validation in web since long time now. Data validation weakness has crept into application development in the mobile application space. Hackers can easily bypass client side data validation by using a proxy between the mobile app and the server. </span><br style="font-family: "Trebuchet MS",sans-serif;" /><span style="font-family: "Trebuchet MS",sans-serif;"> </span></span><br />
<span style="font-size: x-small;"><span style="font-family: "Trebuchet MS",sans-serif;">There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets. Mobile application security is an easy target for attackers currently and you need to address security on priority. </span></span>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com3tag:blogger.com,1999:blog-18794799.post-9549745002944708422011-03-17T21:55:00.000+05:302011-03-17T21:55:01.306+05:30Simple AutocompleteIRCTC - India's Rail Ticket Booking Website which is sought to be a secure platform for the citizens booking their tickets has few simple security configurations missing. <br />
<br />
An example is the auto-complete not set to off on their payments page - a practice which most of the secure web applications follow for sensitive pages right from login page. Below is a snapshot. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGm7mDxFlqk35NOhbIHBWIfCULzxM7hkWPYOWdO1KzuYlKepzibgFttcCu87izT3aneDSJ8kOVYpAQHfPlUUfpv3lDq4Gb30l9Snt60xs3kdtizcNYjJPNy1rT7F80M6mkwwbs/s1600/IRCTC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGm7mDxFlqk35NOhbIHBWIfCULzxM7hkWPYOWdO1KzuYlKepzibgFttcCu87izT3aneDSJ8kOVYpAQHfPlUUfpv3lDq4Gb30l9Snt60xs3kdtizcNYjJPNy1rT7F80M6mkwwbs/s640/IRCTC.png" width="640" /></a></div>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com1tag:blogger.com,1999:blog-18794799.post-66680977645400474572011-03-15T20:22:00.002+05:302011-03-17T20:35:35.623+05:30Past few monthsReaders,<br />
<br />
For the past few months or rather lemme say a year, I haven't been actively writing out here. I have been spending my time on other security aspects of my life. I secured myself from being a bachelor (got married :D), secured my Post Graduation (completed my Executive Management from IITB) and secured my job too. :) <br />
<br />
Interestingly am back into security work doing a product development in space of data privacy. There have been many trends that I have been watching and techniques which I have learnt. Will be sharing via blog posts often now.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com1tag:blogger.com,1999:blog-18794799.post-37442106898703785502010-11-01T18:42:00.000+05:302010-11-01T18:42:30.579+05:30OTP adoption from India to the US?One Time Password (OTP) is a password that is valid for only one login session. It is a popular authentication mechanism in India. It is essentially in use with Banking and Stock Broking Apps to do a two-factor authentication. SMSes on your registered mobile phone is been predominantly used as a medium to accomplish this second factor of authentication. <br />
<br />
Recently, Facebook announced to users that they now have the option of texting "otp" to 32665 from any U.S. mobile phone to receive an OTP via SMS that is good for 20 minutes of log-in time to their Facebook account. <br />
<br />
Nice to see Facebook working on the security front for once rather than endless feature updates. It has had its fair share of security woes so it’s nice to see they are doing something which I think may be genuinely useful for it’s burgeoning user base.<br />
<br />
In India, a lot of banks use a similar way called Transaction Authorization Code. A OTP when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).<br />
<br />
This method can provide security but it will not eliminate hackers from getting access to Facebook account. Using non secured network without encryption and other security measures will get the situation back to square one. <br />
<br />
It would be also nice if you had security like GMail account security feature, which provides the information if there is a connection opened on my account from another location and monitor all latest ip’s logged into the session.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com1tag:blogger.com,1999:blog-18794799.post-12774141590749743872010-06-28T18:09:00.000+05:302010-06-28T18:09:39.584+05:30Getting Hands Dirty with Ettercap Tool<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9m7kLKUP8QPA2XCnxviFfPL2uxL1isglc0z7QgNf5KOUqLH1434wHoTsiB9gq2aFYeE-UNLBZkQ9nONAsSn0voEtVNMyQSF_-n_6cPEMg8m1BaGiQII4ej_8dOYz05PKoDGdH/s1600/ettercap.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9m7kLKUP8QPA2XCnxviFfPL2uxL1isglc0z7QgNf5KOUqLH1434wHoTsiB9gq2aFYeE-UNLBZkQ9nONAsSn0voEtVNMyQSF_-n_6cPEMg8m1BaGiQII4ej_8dOYz05PKoDGdH/s200/ettercap.png" width="100" /></a></div>Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.<br />
<br />
Over last few weeks, I have been fiddling around with this tool to test one of the applications. I found the tool has some real good capabilities. Sniffing over a switched network is not easy. However, using Ettercap, I managed it quite nicely. <br />
<br />
In an Ethernet network computers communicate with each other via Ethernet MAC addresses. So, there is a mechanism needed for matching of IP addresses with the addresses in an ethernet network. The mechanism is called ARP (Address Resolution Protocol). <br />
<br />
What ARP does is exactly what most people do, when they have to find Mr. X in a crowd of people - they shout loud enough, so that everyone can hear them and expect Mr. X to answer, if he is there. When he answers, we will know who is he. When ARP wants to know whats the Ethernet address matching a given IP address it uses an Ethernet technic, called BROADCASTING, with which the datagram is addressed to all the workstations in the network. The broadcast-datagram sent by ARP contains a request for the IP address. Every computer, received that request compares the requested address with its own IP address and if they match, it sends an ARP reply back to the asking computer. After rreceiving the reply, the asking computer can get the Ethernet address of the computer it is looking for, from his reply. After the computer finds an Ethernet address, he stores it in its ARP cache (ARP table), so he won't need to look for it the next time he wants to send a datagram to the same address. However, it is not good this information to be stored forever (the Ethernet adapter of the other host may be replaced for some reasonm and the entry for the computer's IP in the ARP cache will become invalid). So the entries in the ARP cache expire after a period of time. Most operating systems will replace an entry in their ARP cache even if they haven't sent and ARP request before. That allows a MITM (Man-In-The-Middle) attack to be performed.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-83198934569770067872010-03-10T11:35:00.004+05:302010-03-10T15:22:13.533+05:30About the 'Rugged' InitiativeAs most of the readers on my blog would be knowing, the Security experts in February launched a new effort to ensure software is written from the ground up with security in mind -- a philosophy and message they're aiming at people outside of the security industry.<br /><br />The Rugged Software Development initiative is basically a foundation for creating resilient software that can stand up to attackers while performing its business or other functions.<br /><br /><blockquote>"It's more of "a value system" for writing secure software, versus a compliance program, according to its founders,who hope to incorporate the tenets of rugged code development into computer science programs at universities."<br /></blockquote><br />A couple of years back, I remember posting a blog article, if basic security mantras could be incorporated in the Computer Science & IT Courses in Universities. Here is the link to the same: <a href="http://smartsecurity.blogspot.com/2008/04/can-security-be-incorporated-in.html">http://smartsecurity.blogspot.com/2008/04/can-security-be-incorporated-in.html</a> . I was happy that to learn that 'Rugged' did have this as a part of its initiative. Question is, "When will Indian Universities understand and incorporate the same?" The Indian IT industry spends so much on training costs, as more than 70% of fresh graduates are not employable/productive right away.<br /><br />This isn't the first industry effort to push developers to bake security into their code. There have been several before like: Homeland Security's Build Security In guidelines, Microsoft's Software Development Lifecycle (SDLC) framework and tools, Building Security In Maturity Model (BSIMM), where financial services firms are comparing notes and sharing their secure coding strategies and experiences and OpenSAMM (Software Assurance Maturity Model), an open-source model aimed at becoming an industry standard for secure software development.<br /><br />Rugged doesn't include any new frameworks for secure coding, however, and instead will serve as an "on-ramp" for secure software development, Rugged is different because it's aimed at people outside of the security realm. Rugged is specifically targeted at people out of the security context.<br /><br />Getting the secure software development message to the masses won't be easy, and the plan is to get some initial support and momentum from the application security industry.<br /><br />Unfortunately, most developers don't know what it means to write secure code, and worse they think they already write secure code if they write high quality code. Software security practitioners have struggled to get past this mindset.<br /><br />Rugged code is a way of breaking through and instilling a mindset that secure code should be a pride-of-ownership issue just as much as elegant, high performing, and high quality code is.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com6tag:blogger.com,1999:blog-18794799.post-89670202871091139622010-01-26T18:52:00.005+05:302010-01-26T19:25:55.171+05:30Plenty of (IN)Secure Broadband Routers<div>SShh.....The <strong>Problem </strong>of<strong> Default Passwords</strong> for the Wireless Routers still exists in most parts of the country. The Mumbai terror attacks did bring in a concern for people using Wireless Networks and not have secured them. However, time and again I have been still snooping into the so-called <em>'Secured'</em> Wireless Networks because the routers admin password is still set to default. Crazy !! </div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIo3lQIo8ZT3Y7fLy78nXjUQw58kNczj_i893c5ApwiMLrnsz64sUL3aMxuemJMY91y9P9qstvwMXkwJrUnThDOoMFSvjJpk4GNgDRTjrUfcR2jIiBNegAQj_NZBLzkSTxt3uC/s1600-h/broadband-router.jpg"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 225px; FLOAT: left; HEIGHT: 123px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5431046744142035282" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIo3lQIo8ZT3Y7fLy78nXjUQw58kNczj_i893c5ApwiMLrnsz64sUL3aMxuemJMY91y9P9qstvwMXkwJrUnThDOoMFSvjJpk4GNgDRTjrUfcR2jIiBNegAQj_NZBLzkSTxt3uC/s400/broadband-router.jpg" /></a><br /><div></div><br /><div><br /><br /> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div> </div><div>BSNL, the most widespread broadband provider, supplies its own ADSL Router which is been configured by the BSNL <em>line-man. </em>Since most of the broadband customers are not so tech-savy, they understand very little about the technical configuration done in the Wireless Routers.<br /><br />YOU and I know that default configuration of the broadband router is insecure. We may be good guys, may be the bad guys too. The default login to the router's admin console via username: admin and password admin is very silly to get into the broadband connection. The encryption security or the password key provided has not much of security to be provided now.<br /><br />3 things that I see from this point:<br /><strong><em>a) Can the end-users be educated about the 'french-latin' of router security? </em></strong><br />I assume Success Rate as <em>very low</em><br /><em><strong>b) Can the Internet Service Provider person configure a 'lockdown' version of Secure Routers?</strong></em><br />I assume Success Rate as <em>low</em> to <em>moderate</em><br /><strong><em>c) Can the router device manufacturers start providing warning messages if their devices are running on default passwords?</em></strong><br /><strong></strong>I assume Success Rate as <em>moderate</em><br /><br /><em>Any comments are welcome !!</em></div>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-5611491709296212132010-01-26T18:36:00.005+05:302010-01-26T18:47:50.662+05:30Mumbai to Host India’s First e-Crime Forum<p align="right"><a href="http://www.vcindia.com/images/e-crime_india-feb10/banner.gif"><img style="MARGIN: 0px 10px 10px 0px; WIDTH: 567px; FLOAT: left; HEIGHT: 200px; CURSOR: hand" border="0" alt="" src="http://www.vcindia.com/images/e-crime_india-feb10/banner.gif" /></a></p><p><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></p><p> </p><p>On the 23rd and 24th February, a leading cyber crime security event, e-Crime India, will be staged in Mumbai for the first time. With the support of OWASP India, Data Security CounciI of India (DSCI) and The Institution of Electronics and Telecommunication Engineers (IETE), the forum will be hosted at Hotel Novotel, Juhu Beach, Mumbai.<br /><br />India’s foremost cyber crime experts and IT security professionals will convene to address the key challenges faced by the people whose job it is to tackle e-crime in India and issues connected with electronic risk. Internationally renowned Cyberlaw expert, Mr. Paven Duggal, will deliver a special address to the forum. Chief information security officers from leading banks, including Bank of India, ICICI, State Bank of India, Standard Chartered and HSBC, and global corporations such as Vodafone, Walt Disney, and Reliance Life, will join him on the podium. The forum will also hear presentations from leading academics and high-ranking law enforcement officials, including the senior inspector of police at Mumbai’s cyber police station.<br />Over 250 senior decision makers from business, government, and law enforcement are expected to attend the event, which is being sponsored by organisations including HDFC Bank and Websense.<br /><br />As one of the most rapidly developing countries in the world, India has seen an enormous increase in internet users in recent years and accordingly e-crime in India has grown at an increasingly alarming rate, costing the Indian economy an estimated $50 billion annually.<br />e-Crime India is a major initiative and is the newest member of the e-Crime Congress family of events following e-Crime Middle East, which was hosted in Abu Dhabi, December 2009. The e-Crime Congress, hosted annually in London attracting over 550 professionals from over 40 countries, recognises the need for international cooperation. Peter Brady, Business Development Manager of AKJ Associates, who organise the forum, says: ‘we are very happy to be coming to India, because cyber crime is a truly worldwide problem that is of concern to everyone. The e-Crime Congress has established a global reputation over the past eight years for its cutting edge agendas that deliver key information on the latest e-crime threats and practical guidance for overcoming them. We take pride in bringing together the right people to share information and combat cyber crime around the world collectively.’ Manoj Saha, Managing Editor of Dickenson Intellinetics, who are partnering AKJ Associates for e-Crime India, added: ‘as an organisation deeply involved with events related to financial markets, private equity and investment banking, e-crime India is a natural value adder to professionals in the Indian banking, corporate and financial markets - we are delighted to partner with AKJ Associates in making e-crime India the destination event that no security professional should miss.”<br /><br />Click Here For Complete Details of Event: <a href="http://www.e-crimecongress.org/india/">http://www.e-crimecongress.org/india/</a> </p>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-71361513744366008302009-12-20T01:04:00.006+05:302009-12-20T01:19:05.801+05:30Latest Phishing Site of ICICI BankHi All,<br /><br />I just came across a phish email created for ICICI Bank Users.<br />Sharing the screen-shots for fun. Have reported the fake site to antiphishing.org<br /><br />The 'Phish' email:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6qO2JzqUrmrksYsjtBrV4ak9pTkNyCsF_kapkEbGTRHtgcV9UsAXz0Sf6tYNDixstnw2WFiMMI81FOXdeIXzVtNY5kglH8jfsBsogV0iEBRBCqYxivqz7nPv34S5R_uzIvcwS/s1600-h/email.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 548px; height: 245px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6qO2JzqUrmrksYsjtBrV4ak9pTkNyCsF_kapkEbGTRHtgcV9UsAXz0Sf6tYNDixstnw2WFiMMI81FOXdeIXzVtNY5kglH8jfsBsogV0iEBRBCqYxivqz7nPv34S5R_uzIvcwS/s400/email.JPG" alt="" id="BLOGGER_PHOTO_ID_5417034299900252130" border="0" /></a><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><div style="text-align: left;">Phishing Site Link: http://adamthompson.org/infinity.update/BANKAWAY.sessionid/update;RetUser/Y&AppSignOn.icicibank.co.in/index.html<br /></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpKPVyR6ZTlEgnBPTMweTmlUp_iLGybiizCciarRMVFvG1XINU03wQwxbgVlHbyhkxqyyzDvG0G8KgaDsl6dpq32xSIS6bAnTpZuD4814eI0O-Oql9GPd2h9O_hOMEKqb8Jjm1/s1600-h/fake+site.JPG"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 522px; height: 427px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpKPVyR6ZTlEgnBPTMweTmlUp_iLGybiizCciarRMVFvG1XINU03wQwxbgVlHbyhkxqyyzDvG0G8KgaDsl6dpq32xSIS6bAnTpZuD4814eI0O-Oql9GPd2h9O_hOMEKqb8Jjm1/s400/fake+site.JPG" alt="" id="BLOGGER_PHOTO_ID_5417035514102995730" border="0" /></a>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com1tag:blogger.com,1999:blog-18794799.post-73137357535624020182009-10-08T11:26:00.001+05:302009-10-08T11:30:53.015+05:30Application security should be addressed in initial SDLC stagesIT applications are akin to the organization's blood vessels because they carry critical information and execute key processes. However, due to a peripheral approach to security, application security is often neglected.<br /><br />Applications require strong embedded security to prevent breaches. Hence enterprises should start to address security at the software development lifecycle's (SDLC) early stages. There are several ways to go about this.<br /><br />Education: Because business users or customers are often unaware about security risks, developers and the application architect should be familiar with possible security threats and application attacks. These personnel should inculcate the application security culture throughout the lifecycle.<br /><br />If you estimate risk correctly from the beginning, it will also help you to save on costs. According to an industry statistic, if the cost of fixing a bug at design phase is X, post the release it would cost 60X. The cost of fixing bugs increases during each stage of application development. Developers can be trained on dummy applications to help them learn how attackers operate.<br /><br />Build a threat model: A threat model for your application is essential to identify the involved risks, possible attack scenarios, controls and risk mitigation costs. To start, you should understand the application's utilization. You can categorize an application based on usage (internet or intranet), data sensitivity (sensitive or non-sensitive) and the technology used (web based or non-web based application). These parameters help you categorize the application security level as high, medium or low. Based on this classification, security controls are integrated during the application design process.<br /><br /><a href="http://searchsecurity.techtarget.in/tip/0,289483,sid204_gci1370436,00.html">Read more on SearchSecurity.TechTarget.IN >></a>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-86642910396072446782009-09-25T14:29:00.003+05:302009-09-25T14:37:20.766+05:30Can your Exchange Administrator view your mailboxHi All,<br /><br />I have been trying hard to figure out whether the Microsoft Exchange 2007 Administrators can view a user's mailbox? If so, how is this audited?<br /><br />Unfortunately, I believe there is no real way of doing this in Exchange Server 2007. The closest you'll get would be to experiment with diagnostics logging settings on MS Exchange IS Private and then trolling the application event log for the events created when someone logs onto a secondary mailbox. But as yet, I haven't heard of anyone who has figured out a way to do this which meets typical audit requirements.<br /><br />In Exchange 2003, I know we could do this very well. Just go to:<br /><br />https://exchange2003/exchange/<span style="font-style: italic;">username</span><br /><br />Put in our administrator user/pass, and login to that users mailbox and you could view his/her mailbox.<br /><br />Interesting thingi isn't it??Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-6013023883745546082009-08-28T10:29:00.003+05:302009-08-28T10:33:46.604+05:30No Built-In Response.HTMLEncode in JavaWhy doesn't Java have a built-in HTMLEncode function??<br /><br />With security vulnerabilities like Cross-Site Scripting (XSS) luring around since so many years, I am wondering why hasn't Java yet come up with its own function for Encoding chars which are malicious.<br /><br />Developers have to rely on either writing their own functions to encode characters to prevent XSS or use Open-Source libraries available to encode.<br /><br />I believe 'Sun' ... sorry...'Oracle' should think of having this simple thing built-in.<br /><br />What say folks?Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com2tag:blogger.com,1999:blog-18794799.post-49762187841990433192009-07-31T17:52:00.003+05:302009-07-31T18:04:04.644+05:30Dev Tools for Security TestingI have been realizing that even the development tools can be good for initial security testing !!<br />Let me explain what I mean by this.<br /><br />For instance, I have been working on a highly sensitive application (in defense sector) and this is a supposedly a Thick Client application. Developed using Windows Forms and the latest technologies of Messaging, this application can be tested for security by the development tool like Visual Studio features itself.<br /><br />Most of the security testing include Data Validation checks. Input Validation, Output Validation, SQL Injection, etc are few checks related to data validation. These checks can be done using the Visual Studio IDE itself where the values for the application can be changed and checked if the application passes the validation check.<br /><br />Simple Steps in a Typical Scenario:<br />1. My dev teams says they have performed the validation both at the client-side and server-side code to ensure application security. However, this needs to be checked.<br />2. So, if I pass valid values at the application client side, debug the application at server-side to change the values passed to check if the server-side validation actually fires the validation, my job is done.<br />3. Why would I choose such a method? because typically other than application sending request over HTTP, it is "really" tough to intercept the request sent from the client machine to the server and modify the request parameters for security mis-use cases.<br /><br />IMO, close to 60% security checks could be easily done by using the dev tools debug features itself and it proves really useful if the application sends requests in non-HTTP protocol.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com1tag:blogger.com,1999:blog-18794799.post-91281630425302019452009-07-24T12:01:00.002+05:302009-07-24T12:03:58.157+05:30Botnet Attack Details from KasperskyOne of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The story was picked up by Computer Weekly which did a good summary of it.<br /><br />The financial “highlights” of the ill-gotten gains from botnets (From Computer Weekly):<br /><br />• Hiring a botnet for DDoS attacks costs from $50 to thousands of dollars for a continuous 24-hour attack.<br />• Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.<br />• Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.<br />• A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.<br />• Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.<br />• User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.<br />• Phishers pay $1,000 to $2,000 a month for access to fast flux botnets.<br />• Spam to optimize a search engine ranking is about $300 per month.<br />• Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.<br /><br />And what makes this all possible? There are tens of millions of PCs available to botnet operators because of bad computer security on machines in homes and bad security practices by the people who use them.<br /><br />Computer Weekly story: “<a href="http://www.computerweekly.com/Articles/2009/07/23/237015/kaspersky-reveals-price-list-for-botnet-attacks.htm">Kaspersky reveals price list for botnet attacks</a>”<br /><br />Original white paper here. “<a href="http://www.viruslist.com/en/analysis?pubid=204792068">The economics of Botnets</a>”Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com2tag:blogger.com,1999:blog-18794799.post-62268799819711903962009-06-18T18:38:00.005+05:302009-06-18T18:49:41.252+05:30Isn't that Impossible?Not every organization and their people know about software security issues nor do they respect the same. <br /><br />In most of my workshops conducted with developers for secure coding, I often hear the proclamation, "Isn't that Impossible..." and then the drama starts...<br /><br />Many developers do not understand how the web works<br />• “Users can’t change the value of a drop down”<br />• “That option is greyed out”<br />• “We don’t even link to that page”<br /><br />Many developers doubts attacker motivation<br />• “You are using specialized tools; our users don’t use those”<br />• “Why would anyone put a string that long into that field?”<br />• “It’s just an internal application” (in an enterprise with 80k employees and a flat network)<br />• “This application has a small user community; we know who is authenticated to it” (huh?)<br />• “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”<br /><br />Many developers do not understand the difference between network and application security<br />• “That application is behind 3 firewalls!”<br />• “We’re using SSL”<br />• “That system isn’t even exposed to the outside”<br /><br />Many developers do not understand a vulnerability class<br />• “That’s just an error message” (usually related to SQL Injection)<br />• “You can’t even fit a valid SQL statement in 10 characters”<br /><br />Many developers cite incorrect or inadequate architectural mitigations<br />• “You can’t execute code from the stack, it is read-only on all Intel processors”<br />• “Our WAF protects against XSS attacks” (well, clearly it didn’t protect against the one I’m showing you)<br />Developer cites questionable tradeoffs<br />• “Calculating a hash value will be far too expensive” (meanwhile, they’re issuing dozens of Ajax requests every time a user click a link)<br /><br />There would be dozens more. The point that is developer education for security is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don’t teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com5tag:blogger.com,1999:blog-18794799.post-23985618494866218882009-06-18T09:53:00.004+05:302009-06-18T10:14:27.395+05:30Looking for better solution(s)It's been 5 years that I have been looking over Application Security issues. It makes me wonder when I find myself and many others still looking out for some unsolved or better security solutions. Certain issues where we have broken our heads to get a solution, but at the end it hasn't been "enough" secure. <br /><br />I thought it might be interesting to post my list of such issues for others to see things and get opinions on the same. <br /><br />Still Looking for better (Secure) solutions for following points:<br />1. Implementing a strong Key Management solution for PCI Compliance. Customers trust products which can help achieve this compliance, however do not trust the bespoke implementation. I strive to get this done !!<br /><br />2. Develop a better CAPTCHA mechanism to defend robots. A believe a real world user hates the current image version displayed. It has to be simple and secure.<br /><br />3. Get the NAT'ed IP address of the user using HTML or Javascript.<br /><br />4. Strong solution to prevent users from getting on to fake sites (Phishing) without much of user education.<br /><br />5. Developing an Effective and Manageable Web Application Firewall which can be at least a bronze bullet (if not a silver bullet) for Web Security. :)<br /><br />6. Designing security for social networking sites where a feature could be exploited to be a flaw.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com5tag:blogger.com,1999:blog-18794799.post-33978001642589167942009-05-04T13:22:00.003+05:302009-05-04T13:40:30.281+05:30My Top Excuses for Not Fixing Security DefectsHere are the TOP excuses/reasons I have come across from people who would not want to fix a critical or severe security defect:<br /><br /><span style="font-weight:bold;">1. Functionality is prioritized before security.</span><br />"Doesn't matter if the application can be accessed by unauthorized users, but the application should be working as we need to GO LIVE !!"<br /><br /><span style="font-weight:bold;">2. Ahh !! We do not need to be compliant to that level of security.</span><br />"Lack of basic security measures required for an application."<br /><br /><span style="font-weight:bold;">3. The application will be replaced soon with newer systems. Why bother to change now??</span><br />"The system owners with no concrete plan of replacing the system in next phase pounce with this excuse for not fixing the defects at this moment."<br /><br /><span style="font-weight:bold;">4. The security solution is conflicting with the business requirement.</span><br />"Remember the requirement is to email the password to the user in clear text. Ahh !! a defect in requirement itself."<br /><br /><span style="font-weight:bold;">5. Inadequate reach of security risk to the customer.</span><br />"The software vendor realizes the importance of security and the risks involved, but unfortunately his Point of Contact at the Customer side is a non-technical guy who doesn't realize the importance equally and denies a change."Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-88789063504620904792009-04-21T10:03:00.001+05:302009-04-21T10:06:40.093+05:30Microsoft Security Intelligence Report v6<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3l2qjRj6AARSaO2Ot2vJYzd2eqDmm1-Z13sK4nvK3VjxFXLP8t1o4Qf7YXNdSThEeq-4Pt0ndmwxFmOEHwzQo4Ej3h86jGkyw-2ZI3S79nVYGyjCktHs8CPZZ0-jaHvmbQ9cy/s1600-h/sirv5-cover_1.png"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 213px; height: 275px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3l2qjRj6AARSaO2Ot2vJYzd2eqDmm1-Z13sK4nvK3VjxFXLP8t1o4Qf7YXNdSThEeq-4Pt0ndmwxFmOEHwzQo4Ej3h86jGkyw-2ZI3S79nVYGyjCktHs8CPZZ0-jaHvmbQ9cy/s400/sirv5-cover_1.png" alt="" id="BLOGGER_PHOTO_ID_5326998862734768546" border="0" /></a><br />Microsoft has released the latest version of the Microsoft Security Intelligence Report (SIRv6), examining industry-wide software vulnerability disclosures, Microsoft vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.<br /><br />I understand that some of you may not wish to read a 150 page technical analysis document, except as a way to fight off insomnia. Because of that, if you go over to the main SIR page at www.microsoft.com/sir, there is also a "Key Findings" document that is much more concise and provides a nice summary of the findings from each section.<br /><br />Report: http://www.microsoft.com/security/portal/sir.aspxDharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-48650573766035284262009-04-20T18:41:00.001+05:302009-04-20T18:45:55.469+05:30Spam - It also impacts the environmentMcAfee has released <span style="font-weight: bold;">The Carbon Footprint of Email Spam Report</span>. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:<br /><br />• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.<br />• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.<br />• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.<br />• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.<br />• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.<br />• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.<br /><br />Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study<a href="http://resources.mcafee.com/content/NACarbonFootprintSpam"> here</a>. It’s worth a read.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-2870739596557835962009-04-11T00:44:00.001+05:302009-04-11T00:47:11.456+05:30How to Protect Your PC from Malware Infection<meta equiv="Content-Type" content="text/html; charset=utf-8"><title>PC from Malware Infection</title><strong>How to Protect Your PC from Malware Infection</strong><strong> </strong>
<br /><p>Malware or malicious software is a program or a file which is harmful to your computer.
<br />
<br />These programs have the capability to enter your computer system without your knowledge or consent and cause errors leading to system slow down, crashes and loss of data.</p>In the United States alone, there are over 60 million computer users who are affected by virus, spyware or some kind of malicious software. Almost everyday a new malware is being released into the cyber world making it easier for the online criminals to make attempts to steal financial information, important data or personal identities. Anti-malware tool manufacturers try to keep up with these new malware by constantly releasing updates and advanced antivirus and antispyware programs.
<br /><p>On the other hand, the response to this huge problem by computer owners is usually delayed. Most of the users wake up to the seriousness of the problem when their computer has already started to show signs of infection, like error messages, system slow downs, and frequent freezes and system crashes. Even then, user response is mostly to take care of the immediate problem, rather than to create a robust defense mechanism for their computer. Over 62% of computer owners surveyed have inadequate protection against malware. This essentially means that either they do not have anti-virus and anti-spyware tools or they do not use or update them regularly.</p><strong>Protecting your System against Malware</strong>
<br /><p>It is essential for you to protect your system from all kinds of malicious software programs, such as the <a href="http://www.exe-error-fixes.com/manual-removal-dexe-virus/">d.exe</a> and <a href="http://www.exe-error-fixes.com/aspimgrexe-infected/">aspimgr.exe</a> files. When a system is infected, it is quite expensive and time consuming to restore it to its original condition. Furthermore, you stand the chance of losing a large amount of your data, and if your PC is on a network, other connected computers may become affected as well. At times, these programs come disguised as legitimate Windows files, such as iexplore.exe and <a href="http://www.exe-error-fixes.com/algexe-spyware-adware-virus/">alg.exe</a>, and this makes it quite difficult to detect and remove these malicious files manually.</p>It is humanly impossible to make your computer 100% secure, but by taking simple precautions and continuously updating your computer you can reduce your risk considerably.
<br /><p>The first step in protecting your system is to install reliable and advanced <strong>Anti-Virus and Anti-Spyware solutions.</strong> It is advisable to run anti-virus and anti-spyware scans on a regular basis. You must also update your tools on a regular basis because manufacturers release new definitions almost daily.</p>You can also make your system more secure by installing a <strong>Firewall. </strong>A firewall can be a hardware device or a software application that sits between your computer and the Internet. It filters out the information you send and receive on your computer. In other words, the firewall receives and inspects all incoming and outgoing data. The tool allows you to choose program access permissions on your computer, which to a large extent prevents malware infiltration and unauthorized access to your system.
<br /><p>It is also highly advisable to regularly update your Windows software on a regular basis by using the Windows Update feature, live update features of third-party software, and a reliable driver scanner tool. You must also scan your registry on a regular basis to ensure that no malware data stays within it. You can do this easily and efficiently by using a reliable registry cleaner tool. </p>
<br />Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-72067597509830846442009-04-05T17:43:00.000+05:302009-04-05T17:45:11.763+05:30How To Avoid PC Errors And Boost Computer Performance<meta equiv="Content-Type" content="text/html; charset=utf-8"><title>o Avoid PC Errors And Boost Computer Performance</title><strong>How To Avoid PC Errors And Boost Computer Performance</strong>
<br /><p><strong>Are you sick and tired of the frequent error messages that keep showing up on your PC?
<br />
<br />
<br />Would you like to learn how to avoid annoying computer errors, without spending hundreds of dollars?
<br />
<br /></strong>
<br />If your answer to these questions is yes, you do not need to give up hope just yet. First, you are not alone and are a part of a majority of computer users who are feeling overwhelmed by these computer errors and how these problems are damaging computer performance. Secondly, you must understand that you will not find a permanent solution to computer errors by just hoping that errors do not happen or by calling in the computer experts for your rescue every time you encounter an error. The only solution to these problems is to confront these errors head-on. This includes understanding why these errors happen, how they can be avoided and what to do when errors show up, even after you have taken all the necessary steps. To perform these tasks, you will need the services of a few useful tools that are critical in avoiding and fixing frustrating computer errors. </p>
<br /><p><strong>Disable Unwanted Startup Programs.</strong> Quite often, when you install software programs on your computer, they configure a related process to automatically start at system startup. For instance Osa.exe launches at system startup to enable quick access to Microsoft programs. The program is seldom used and most of the time, the only task it does is to feed on your system resources. To <a href="http://www.exe-error-fixes.com/disable-osaexe-startup/">disable osa.exe</a> and other such unwanted processes from starting at system startup, you may either use the System Configuration Utility (msconfig) that comes with your Windows operating system or use an easy-to-use third-party startup program manager tool. </p>
<br /><p><strong>Ensure that your User Profile is Not Corrupt. </strong>Many files, such as <a href="http://www.exe-error-fixes.com/resolving-csrssexe-100-cpu-usage-problems/">csrss.exe</a> cause high CPU usage problems that slow down your computer if the user profile for the user account with which you are logged on to the system is corrupt. If this is the case, you can resolve the problem by deleting your current user profile and creating a new one. Before deleting your corrupt user profile, remember to make a backup of your files including your emails, address book, favorites, and files stored on your Desktop. </p>
<br /><p><strong>Scan and Clean Malware Regularly. </strong>Many errors, such as exe errors and runtime errors are caused due to virus and spyware infections. To <a href="http://www.exe-error-fixes.com/">fix exe error</a> and other error messages generated by malware and to prevent them from occurring in the first place, it is essential that you use efficient antivirus and antispyware tools to scan and clean all unwanted malicious data. To ensure that these tools are effective, make sure to update them with the latest definitions on a daily basis. </p>
<br /><p><strong>Clean and Defrag your Hard Disk. </strong>Low disk space errors and slow computer problems are common on computers with a filled up, cluttered and fragmented hard disk. To prevent this situation, you must use the Disk Cleanup and Disk Defragmenter tools at least once a month to clean junk files and defrag your hard disk to make it contiguous. This will not only prevent errors, but will also considerably speed up your PC. </p>
<br /><p><strong>Clean and Repair the Windows Registry. </strong>Finally, make it a point to get a reliable registry tool and use it at least once a month to scan, clean, and repair unwanted and corrupt registry entries.
<br /></p>Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-87874167444056781592009-03-16T15:10:00.001+05:302009-03-16T15:11:47.111+05:30Does the code use MapPath?Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ensure that cross-application mapping is not allowed.<br /><br />The application should not contain code similar to the following example.<br /><br />string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath);<br /><br />Instead, the application should contain code similar to the following.<br /><br />try<br />{<br /><br />string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath, false);<br />}<br /><br />catch (HttpException)<br />{<br /> // Cross application mapping attempted.<br />}Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0tag:blogger.com,1999:blog-18794799.post-6841265057661685992009-03-16T15:07:00.000+05:302009-03-16T15:10:05.336+05:30Do You Use the HttpChannel?If you use the HttpChannel for .NET remoting, you should prefer IIS as the host for the remote component because the component is loaded in the ASP.NET worker process. The ASP.NET worker process loads the server garbage collector, which is more efficient for garbage collection on multiprocessor machines. If you use a custom host, such as a Windows service, you can use only the workstation garbage collector. The HttpChannel also enables you to load balance components hosted in IIS.Dharmesh Mehtahttp://www.blogger.com/profile/04847749655714276870noreply@blogger.com0