Resolution for the group's SID could not be resolved Error

I have recently encountered the following error when enumerating through the UserPrincipal.GetAuthorizationGroups collection.

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved.

The problem was introduction of the domain controller running Server 2012 while the machine running my application was win7 VM (applies to Win2K8 as well)


With little googling, it appears that for the Windows 7 VM with introduction of 2012 domain controller, this SID error appears to be a known issue. When a 2012 domain controller is involved, the GetAuthorizationGroups() function would fail on groups (SIDs) that are added to a user by default.

Installing KB2830145 fixed my problem.




Poodle & Sandworm

In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.

and here is to poodle.

POODLE: This dog bites – An infographic by the team at Pluralsight


Hacktivity - Software Threat Modeling by Shakeel Tufail

Threat modeling and diversion tactics; a good high level overview on software security.

There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.

Learning Objectives: At the end of this workshop, participants will be able to:

  • Understand the basics of threat modeling software applications
  • Understand the meaning of threats, attack vectors, and trust zones
  • Learn about ambiguity analysis
  • Learn about secure design concepts
  • Learn best practices for securing software architect

Notes from my LA C# User Group Talk

I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.

The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation

Links from the talk follow.


Web/Services Security Talk @ San Diego.NET User Group

Andrew Karcher, SQL Server MVP invited me to speak to San Diego .NET user group this Tuesday. The topic of my talk was Secure Code Top 10 (OWASP) for Service Oriented Architectures and the presentation slides can be downloaded from here. Links from the talk follow.

Web Service Security Cheat Sheet

OWASP web Goat.NET

WCF Security Fundamentals

WebGoat.NET Github (Web Forms)

WebGoat.NET Github (MVC)



C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

Advance SQL Injection - Havij

OWASP Top 10 for .NET

Samy Worm

HTML encoding in ASP.NET / MVC

HTMLEncodig in Razor

How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL

6.5 Million Encrypted LinkedIn Passwords Leaked Online,news-15464.html



Rainbow Tables

Preventing Cross-Site Request Forgery (CSRF) Attacks

Happy Coding!



OWASP Top 10 List of 2013 Released

OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks. A new list for 2013 has been published.

OWASP top 10 list was last updated in 2010; in this update the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been reduced while risks related to broken session management and authentication have been prioritized higher.

Injection attacks (Code injection, SQL Injection etc) which was the topmost risk in 2010, has still retained its position in the new list. According to OWASP, The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors.

OWASP Top 10 - 2013


On Entropy Depletion & Related Links

I had to dig these up in the context of a conversation around the (in)security of currency regimes such as BitCoin where presumed ownership of currency is built solely upon asymmetric cryptography. You may find some of these links to be of interest as well.

Textbook RSA is insecure
   and other interesting observations...

Hardware Security for FPGAs using Cryptography
   contains a great overview of different kinds of sideband attacks on cryptography
Acoustic cryptanalysis: on nosy people and noisy machines
   seeing through The Matrix isn't really that hard if you know how to look at it
Disk encryption may not be secure enough 
   ye olde standard cold boot attack
On Entropy Depletion
   Running out of randomness can hurt, bigtime.
Researchers Crack RSA Encryption Via Power Supply
   Invasive sideband attack.  
Blue Pill - Machine Virtualization for Fun, Profit, and Security
   Virtualization attacks.  Epic turtles.  
via David Lazar.

Presentation on Exploring 'Distributed' in DDoS

Exploring Distributed in DDoS - Social Engineering aspects of an 'Anonymous' style DDoS attack
Recorded 24 April 2013.


With the proliferation of social media and mobile devices to masses, protecting against distributed denial of service attacks has become an arduous technical challenge. Even though we expect much more sophistication, research reports show that majority of anonymous style hacktivist attacks originate from distributed denial of service. During analysis of the largest-known hacker forums with roughly 250,000 members, impervia's hacker intelligence report states that social networks today pose a major interest for hackers. In this talk we discuss the technical challenges and potential remediation of such denial of service attacks. The presentation will elaborate on key tenets of defense in depth, web application security and do's and outline potential threats for financial application domain.

The Cultural Knowledge Consortium (CKC) is a joint and inter-agency effort established to provide a Socio-cultural Knowledge Infrastructure (SKI) to help provide access and connect multi-disciplinary, worldwide, social science expertise and support collaborative engagement efforts in support of Combatant Command (COCOM) socio-cultural analysis requirements. CKC supports and complements the alignment and synchronization of DoD analytical efforts, operational information requirements, and training programs


Hacking Web Apps - Book Review

Hacking Web Apps - Detecting and Preventing Web Application Security Problems - by Mike Shema is a contemporary guide on web application security. Mike's labor of love, as he likes to call this book, contains very relevant and distilled information on modern day web application attacks. The book is different from your garden variety web-application-top-n-style verbose texts with template vulnerabilities and hello-world solutions; Hacking web apps is a book with strong personality which shows in the eight chapters covering diverse topics from HTML5 security, XSS, CSRF, platform weaknesses to browser and privacy attacks.



Starting with HTML5, author discussed security issues surrounding "new" DOM, CORS, web sockets, web storage, web workers in a concise and concrete manner. This first chapter, however brief, makes this book quite unique since very few books in my knowledge have dealt with security issues pertaining to HTML5. The book provides a nice knowledge upgrade to exploits and vulnerabilities when it comes to web 2.0 technologies. Packed with tips, epic failures and notes providing security anecdotes from the real-world, this text keeps you involved and entertained throughout. Going beyond usual CWE-SANS/OWASP top x vulnerabilities, author elaborates on design issues and draw parallels on how to apply these issues to other similar problems. The text tends to be language agnostic and code samples are in multiple languages (python, php etc) but I do miss the examples with specifics of libraries such as AntiForgeryToken in ASP.NET MVC.

Since I have not read any of Mike's previous books, I cannot comment on how much is shared between his writings but for any web and server side developer interested in security, I'd highly recommend reading this book.


Slides from 11th Annual SecureIT conference- “OWASP Web Services Security - Securing your Service Oriented Architecture”

I recently spoke to 11th SecureIT conference on "OWASP Web Services Security - Securing your Service Oriented Architecture". This annual event was hosted by UC San Bernardino at Sheraton Fairplex Hotel.

This SecureIT Conference conference provides focus and opportunities to higher education staff meeting the challenges of providing a secure information technology environment for campus communities. The event was well attended with distinguished speakers, including Pradeep Khosla, UC San Diego’s chancellor, Michael Montecillo, IBM Security Services Threat Research and Intelligence Principal and Eric Skinner, VP of Mobile Security for Trend Micro.

The slides of my presentation can be found below.

Go to Top