RunAsUser Back in the Windows Vista timeframe, the existing RunAs verb for ShellExecute was changed. Instead of prompting the user to run the target as a different user (e.g. the experience you get when you Shift-Right-Click on an app) it instead would treat the call as “Run the target as an Elevated Administrator”. Well, whatContinue reading “Stupid (useful) Windows Shell Tricks”
Category Archives: security
An A+ HTTPS site for $20
Building a HTTPS-secured website is easier than it’s ever been.
HTTPS Only Works If You Use It
It should be obvious, but everyone seems to be making the same mistake. HTTPS only works if you use it. Everywhere. If you don’t use HTTPS everywhere, a bad guy can intercept an insecure request and prevent the user from reaching your secure site. HSTS is a good start to mitigating the threat of accidentallyContinue reading “HTTPS Only Works If You Use It”
Testing HTTPS In Native APPs
Over on Twitter, Paul asks how to verify that a native application is using TLS. For a PC, it’s pretty simple, just run Fiddler and watch the traffic. If you see any HTTP requests (other than those labeled “Tunnel to”, indicating a HTTP tunnel used for HTTPS traffic) from the Process of interest, that trafficContinue reading “Testing HTTPS In Native APPs”
Content Blocking: Unintended Consequences
Our company uses a web firewall device called IronPort to attempt to block unwanted network traffic; it blocks access to known phish and malware domains, and, more annoyingly, domains thought to be related to gaming or “questionable” topics (e.g. politics). Whatever. Today the IT department pushed a new rule set which blocks some requests to domains likeContinue reading “Content Blocking: Unintended Consequences”
text/plain 