Recently, the China's largest Chinese IT community website named CSDN leaked its user's account information. Later today CSDN made an announcements to its users on their website. The announcement said that some user account information was leaked and the passwords of the accounts were stored as plain text in their database before 2009, and after 2009, they adopted an encryption algorithm to encrypt user password. They urged all users who registered the account before 2009 to change their password immediately. After reading this news, I was shocked. How come an IT website stores passwords in pl...

A new study examining 365 million lines of code in 745 applications identifies bad coding practices that affect security, performance and uptime, with Java Enterprise Edition applications having the greatest number of problems. Cast Software, which makes tools that automate the analysis of business applications, examined programs written in Java-EE, .NET, ABAP, C, C++, Cobol, Oracle Forms, and Visual Basic, used across a wide range of industries from energy and financial services to IT consulting, insurance, government, retail, telecom, and more. Java-EE applications were the most prevalent in...

It seems like web app security has entered the public conscious recently, probably as a result of the press covering the activities of groups like Anonymous and incidents like security breaches at several CAs. Here are a couple of quick security tips to improve the security of your web apps. Think of these as low-hanging fruit, not as a substitute for thorough analysis of your app’s security. If there’s interest in this topic we can do more posts, too - let us know in the comments!Prologue: SSLYour app already forces all traffic over SSL, right? If it doesn’t, it should. T...

I'm so tired of passwords. So, so, so tired.Most people don't understand this. Most people use the same password everywhere. Most people can just mechanically type out password3 in every password box, smirking to themselves at how clever they are, because who would ever guess 3 instead of 1?I don't do that. Let me tell you what i do.I generate a different password for every service, based on a convoluted master password and the name of the thing. I do this because it's what you're supposed to do; it's what security nerds (including myself for the purposes of this post) tell everyone e...

You might be shocked to learn this, but when a quivering-lipped Chloe from 24 cracks the encryption on a terrorist’s hard drive in 30 seconds, the TV show is faking it. “So what? It’s just a TV show.” Well, yes, but it turns out that real federal intelligence agencies, like the FBI, CIA, and NSA, also have a problem cracking encrypted hard disks — and according to a new research paper, this is a serious risk to national security.The study, titled “The growing impact of full disk encryption on digital forensics,” illustrates ...

To set your web servers date timezone, for example for Eastern Standard Time (EST) use the following code:SetEnv TZ America/IndianapolisFor example, for Los Angeles time (Pacific time), use the following code:SetEnv TZ America/Los_AngelesOther location examples include:America/New_York - Eastern Time America/Detroit - Eastern Time - Michigan (most locations) America/Louisville - Eastern Time (Louisville, Kentucky) America/Indianapolis - Eastern Standard Time (Indiana, most locations) America/Indiana/Marengo - Eastern Standard Time (Indiana, Crawford County) America/Ind...