Sometimes technical, sometimes not, never a kitty

The Internet Explorer team should be proud of themselves this week:

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

However, if you're feeling ten feet tall and bulletproof because you're using FireFox, you might want to reexamine that idea and make sure you get the auto-updates installed:

In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

The scary thing here is that you don't have to do anything to engage this exploit, and JavaScript is all but invisible to any user not really looking for it.

Likewise, Apple cultivates the image of security to every fanboy's peril:

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you're safe because you don't have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it's there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page.

Remember it was Safari that led to the hacking of a MacBook Air in a recent contest.  Add in the insult of sneaking Safari onto machines via iTunes updates and Safari in most corporate environments would be defined as malicious.  The distribution policy has recently been changed to be more clear about what is being installed, but some damage has been done, and you still have to refuse the automatic installation.

There is a reason corporate IT departments prefer software we can control via Group Policy, and why we have policies against anyone installing anything.

Although this attack targets websites powered by Microsoft SQL Server, databases such as Oracle are also vulnerable to this attack.

The attacks "are a very sophisticated form of SQL injection," Qualys CTO Wolfgang Kandek told TechNewsWorld. "Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications."

The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications -- the exploit could have been written to target any database -- Oracle or WebSphere, for example.

Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.

In addition to this attack, the article mentions another one, specific to SQL Server, on the horizon:

"The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled," Belani told TechNewsWorld. "This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle."

Full story at http://www.technewsworld.com/edpick/62783.html?welcome=1209477802.

The root cause of these attacks is insecure web application design, which allows SQL code to be inserted into a page request and executed in the following database query.  This is an old technique known as SQL Injection.

If you're not familiar with SQL Injection, you need to be, since it's a very basic flaw with serious ramifications.  I recommend highly reading 19 Deadly Sins of Software Security for very good introductions to some very basic design issues.

One of Dell's selling points for its new Vostro line is a lack of trial-ware.  In fact, Dell's website makes the following claim on the Vostro homepage:

No trialware.
Customers said they hated trialware, so we took it away. Vostro systems come without annoying trialware pre-installed. You only get the software you want.

If only it were true that you only got the software you want.  Remember these machines are designed and priced for small offices, 1-25 employees.  You know the kinds of offices these are--they're the ones without IT, and are subject to the whims of their vendors.  We recently purchased three Vostros (two Vostro 200 slim towers to expand the POS in my wife's flower shop, and one Vostro 1500 laptop for myself), and I was dismayed to find software I didn't really want on all three:

1) Google Toolbar is preinstalled with IE.  Google recently seems to have changed its motto from "don't be evil" to "total world domination", and I understand they pay a bounty to Dell for preinstallation of their toolbar.  In case you've missed out, Google's been involved in a couple of privacy flaps lately.  The toolbar remembers where you go and what you do, which has probably been a reason for some of these unsecured data exposures on the Internet--the file location was sent to Google after being accessed by an unsuspecting user, and Google indexed it.  Yes, the business was stupid to not secure the data, but Google is the one who indexed the data and made it public, so I hold both complicit.

2) Google Desktop.  This one is worse than the toolbar, IMHO.  Again, it's my understanding a bounty is paid for each installation.  And again, there are privacy issues, especially since it opens (automatically, BTW) with default settings.  If the user doesn't know the software is installed and is indexing their documents, they might be surprised to see them show up in their searches.  While usually pretty secure, Google's various properties have been subject to exploits recently, and there is the chance sensitive data can be compromised because of the Google desktop.  Additionally, Google Desktop introduces unexpected keyboard behaviors (e.g., double control brings up a search box), and for unknowledgeable users, this software makes their computer a thing of surprise.

3) The Dell Search Redirector.  Oh how this one works my main nerve!  If you goof a website's address in IE, you're transported to a Dell/Google cobranded page of "suggested results" and (drum roll please) AdWords ads.  The standard "Internet Explorer couldn't find the website you're looking for" page has been totally replaced.

4) Dell Network Assistant.  Yet another replacement for Window's built in network connection utilities.  Granted, the user-friendliness of Windows XP's network management is really low, but the Dell NA takes forever to find the preferred network and connect.  How slow is it?  I can boot, open Thunderbird and have it searching for my e-mail servers, and it's still another minute or so before DNA connects.

5) Dell Support Assistant.  I feel bad for people who agree to use this one.  You get the annoying toasts saying there's some update for your PC somewhere, but the UI is confusing and uninformative.  If there's an alert, I should be taken right to it when I open the tool.  Plus, we don't need the staff freaking out that something is wrong with the new PCs just because an unexpected notice pops up.  That's disruptive to the day's work, and takes them out of their flow if they're taking an order and one of these messages appears.

Now, you can turn off and uninstall all of these options, but that's not very friendly.  It should be that I can turn on anything I want, not have to turn off what I don't.  Except for the Dell Network Assistant, all of the others have been removed from our PCs.

The ACE Team (Application Consulting and Engineering) has released a beta version of their tool to scan managed code and detect potential vulnerabilities to cross-site scripting.  XSSDetect runs as a visual studio plug-in.

From their blog:

One of the biggest, constant problems we've seen our enterprise customers deal with and we here at Microsoft have to also contend with is that of the XSS (Cross Site Scripting) bug.  It's very common and unfortunately, still an issue we have to deal with in many web applications.  Internally, the ACE Team has been working on several projects to help mitigate and fix these issues, as well as detect them in the code bases that we review so that they can be fixed before going live.

They also have a follow-up post which discusses using XSSDetect to scan large applications.  For very large applications, you may run into an "out of memory" error.  Besides bigger and badder hardware, the suggestion is to analyze binaries in smaller chunks.

Kevin Gearing of DotNetFreak has released an updated CAPTCHA control for .NET.  Not only compiled against the latest version, there are a lot of new features, too:

Version 2 of FormShield builds on the previous .NET 1.1 version, adding a wealth of new features, options and accessibility improvements. The most notable feature addition is the capability for FormShield to now automatically generate a spoken version of the value shown on the image to aid with accessibility legal compliance. This however is just one of a handful of major new features, not to mention the number of improvements and changes made since the previous version.

If you’re looking for an ASP.NET CAPTCHA control, this one is worth checking out.

Full story at http://dotnetfreak.co.uk/blog/archive/2007/07/13/formshield-for-net-2-0-released.aspx

Recently, a question came up in the ASP.NET security forums about the lack of a remote membership/role configuration tool in ASP.NET 2.0.  Being able to remotely manage users is important in pretty much any site where you have users.  Fortunately, QualityData has stepped in and developed that plus a little more in their Membership Manager Control.  Apparently works in AJAX and exposes an API as well.  At $59, it's pretty darn cheap, too.

If you need a free license (beyond the trial version) for your needs, they also have a link-for-license program.  Add a link like Asp.Net Server Controls by Quality Data, and let them know.

In a previous post (http://aspadvice.com/blogs/rjdudley/archive/2005/05/21/2595.aspx), I showed one way to protect files from direct download by configuring IIS.  In a shared hosting environment, this usually isn't possible, so I'll show another way to protect these files.

First, a little review.  Out of the box, only certain file types are mapped to the ASP.NET ISAPI filter.  These include .aspx, .ascx, .ashx, etc.  If these pages are requested, IIS hands off processing to the ASP.NET filter.  Otherwise, IIS serves the file directly (or hands it off to another ISAPI, as necessary).  There are also a number of file types mapped to ASP.NET that are protected by the HttpForbiddenHandler.  This is an HTTP Handler that prevents direct download of files of the specified type.  If you examine the <httpHandler> section of your machine.config file, you'll see the list.

It would seem that simply adding a file extension to the <httpHandler> section and have the HttpForbiddenHandler prevent its download would be great, but unfortunately, you need to also configure IIS for any new extention you want handled, which is the problem in the first place.

However, there's a little trick we can use.  Let's say you have a file named "protected.pdf" which you wish to prevent direct download of.  You can rename this file to "protected.pdf.resources", and since the .resources extension is already forbidden, users will not be able to download this file directly even if they can guess the file name.  Try it and see.

When it comes time to allow users to download the file, you can use the System.Web.HttpResponse.WriteFile method to send the file to the user.  You may have to clear the response and add a content type to make this all work correctly, as shown:

Today's NewsFactor Network showed up in my inbox, and the lead story was:

------------------------------------------------------------

1. E-Mail Authentication: Holy Grail or Lost Cause?

------------------------------------------------------------

Originally, e-mail was never designed to do anything more than deliver text messages. But added-on features eventually opened gaps that hackers quickly exploited.

See the Full Story:

http://www.newsfactor.com/story.xhtml?story_id=37643

I'm cool with the second sentence.  How many viruses propogate via e-mail in some form or another.  Not to mention web bugs tracking live addresses, etc.  This was followed by one of their "most popular articles":

------------------------------------------------------------

4. Novell Aims To Push E-Mail Further

------------------------------------------------------------

Novell's open source Hula Project will bring new applications to e- mail, predicted David Patrick, vice president of open source platforms at Novell.

See the Full Story:

http://www.newsfactor.com/story.xhtml?story_id=37743

------------------------------------------------------------

So, Novell wants to add more features to something already rendered a little insecure by extending it?  Anyone else see a problem with that?  Which begs the question, "how long until something evil propogates via podcast"?  Let's face it, there are all sorts of known holes in WMP.  RSS started out as a text-only information transmission system, and it's been extended with enclosures to include images (couple trojans already hide in malformed JPGs) as well as MP3 or WMA.  I'm guessing it's only a matter of time.

My latest ASP Alliance article has been published: A Simple Passphrase Generator

Passphrases have been receiving more and more attention as part of a strong security policy. When building secure web-based applications, assigning random passphrases to new user accounts can be a bit of a challenge. In this article, we'll build a simple passphrase generator that can be used as part of a web application to set or reset user passphrases.

The sample project is in VB.NET / VS 2003.

My latest ASP Alliance article has been published today:

Preventing Page Review after Logout with Forms Authentication

The inclusion of Forms Authentication in the .NET Framework has been a significant benefit to developers securing web-based applications. While pages can be secured server-side, local caching by browsers and proxy servers may allow a user to review information even after they have logged out. In some cases, this may present a risk to the user's confidential information. This article discusses three HTTP headers that can be used to prevent local caching of web pages, adding some protection to the user's data.

Read more: http://aspalliance.com/694

“The biggest challenge to developing secure applications is that most programmers don't know they're writing insecure applications. Let's look at a simple example, a forum-type application. However, any application that displays data entered by a user is a potential target.“ --Brad McCabe, XSS Happens

For an introduction to securing ASP.NET sites, check out Dino Esposito's article “Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks“.

Dino summarizes the most common types of Web attacks and describes how Web developers can use built-in features of ASP.NET to increase security.

Perhaps one of the most dangerous and overlooked attacks is the SQL Injection attack.  It's very easy to overlook how an attacker can exploit seemingly harmless SQL code, especially if a developer's experience and understanding of SQL is less than expert.  There are a number of articles available, including:

Stop SQL Injection Attacks Before They Stop You (MSDN Magazine, Sep 2004)
source: http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx
This article discusses:

• How SQL injection attacks work
• Testing for vulnerabilities
• Validating user input
• Using .NET features to prevent attacks
• Importance of handling exceptions

Preventing SQL Injection Attacks
source: http://www.wwwcoder.com/main/parentid/258/site/2966/68/default.aspx

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

Are you still vulnerable to a SQL Injection attack?
source: http://www.spidynamics.com/whitepapers.html

SQL Injection can deliver total control of your server to a hacker giving them the ability to read, write and manipulate all data stored in your backend systems!
Despite being remarkably simple to protect against, there are an astonishing number of production systems connected to the Internet “fixed” the problem by hiding error data from the users but were left vulnerable to this type of attack!

Advanced SQL Injection In SQL Server Applications
source: http://www.nextgenss.com/papers/advanced_sql_injection.pdf

This document discusses in detail the common 'SQL injection' technique, as it applies to the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. It discusses the various ways in which SQL can be 'injected' into the application and addresses some of the data validation and database lockdown issues that are related to this class of attack. The paper is intended to be read by both developers of web applications which communicate with databases and by security professionals whose role includes auditing these web applications.

(more) Advanced SQL Injection
source: http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

This paper addresses the subject of SQL Injection in a Microsoft SQL Server/IIS/Active Server Pages environment, but most of the techniques discussed have equivalents in other database environments. It should be viewed as a "follow up", or perhaps an appendix, to the previous paper, "Advanced SQL Injection".

The paper covers in more detail some of the points described in its predecessor, providing examples to clarify areas where the previous paper was perhaps unclear. An effective method for privilege escalation is described that makes use of the openrowset function to scan a network. A novel method for extracting information in the absence of 'helpful' error messages is described; the use of time delays as a transmission channel. Finally, a number of miscellaneous observations and useful hints are provided, collated from responses to the original paper, and various conversations around the subject of SQL injection in a SQL Server environment.  

One method to prevent SQL injection attacks is to use parameterized SQL queries.  This technique can be used for Access as well as SQL Server, and any other DB system that supports parameterized queries.  The example below demonstrates .NET with SQL Server, but the underlying examples should be easily adapatbale to whatever system you're using.

Using parameterized SQL queries
source: http://www.uberasp.net/getarticle.aspx?id=46

Save yourself from SQL injection attacks and other nasty problems by passing along data in parameters.

The Curse and Blessing of Dynamic SQL
source: http://www.sommarskog.se/dynamic_sql.html

In this article I will discuss the of use dynamic SQL in stored procedures in MS SQL Server, and I will show that this is a powerful feature that you should use with care. I first discuss why we use stored procedures at all, before I explain the feature as such. I then look at the conflicts between the virtues of stored procedures and the effects of dynamic SQL. I also point to the common security issue known as SQL injection. I then move on to suggest some good coding practices. I conclude by reviewing a number of cases where dynamic SQL often is suggested as a solution, both where dynamic SQL is the way to go, and where it is a poor choice. For the latter cases, I suggest alternative strategies.

Dynamic Search Conditions in T-SQL
source: http://www.sommarskog.se/dyn-search.html

This article details the ways to use dynamic SQL in a stored procedure for searching Sql Server databases.  Written by a Microsoft MVP, there are a few topics that will be over the head of beginnning SQL programmers, but this is still an important read.  This is a follow-up to “The Curse and Blessing of Dynamic SQL“.

It is important to have a full understanding of all the risks that your web application faces.  For this, Microsoft has released a guide for developers and administrators.  You can purchase the guide from Amazon by clicking the links below, or click this link to download for free from Microsoft.

	Improving Web Application Security: Threats And Countermeasures This guide gives you a solid foundation for designing, building, and configuring secure ASP.NET Web applications. Whether you have existing applications or are building new ones, you can apply the guidance to help you make sure that your Web applications are hack-resilient.
	Web Applications (Hacking Exposed) This work covers all major Web applications platforms and focuses on vulnerabilities across different programming languages, including PHP, ASP, Perl, JavaScript and Java. It includes examples of security attacks and countermeasures in Web application software.
	Hacking Exposed: Network Security Secrets & Solutions, Fourth Edition (Hacking Exposed) This text unveils the methods hackers use to break into systems, networks, and software, and suggest steps administrators can take to secure their computers at the different layers. The fourth edition covers the latest hacking methods and adds a chapter on 802.11 wireless networks. The DVD-ROM contains a video presentation with PowerPoint slides.

We all should be familiar with the fact that concatenating user input directly into SQL statements is an open invitation to an SQL Injection attack.  Code such as
MySql = "Select * from Orders where Customer ID='" & txtCustomerId & "'"
should be avoided.  If you need some more background information on SQL Injection attacks, I am building a reference at http://www.rjdudley.com/blog/CrossSiteScriptingXSSAttacksSQLInjectionAndASPNET.aspx.  This reference will be updated as time goes on--there are a few good references now, and I'll post update notices to the security section of this blog.

The recommended practice for avoiding SQL Injection attacks is to use parameterized queries or stored procedures (sprocs), where user input is passed as parameters.  Since information in parameters is not treated as executable code, any SQL code conatined in the user input is rendered harmless.  Or is it?  This depends on what you do with that input inside of your sproc.

One of the common functions on a web site is querying a data store.  In advanced searches (those with more than a single input), it would be infeasible to create and mainatin an sproc for every combination of search critera.  Instead, one practice is to create an sproc that dynamically creates the SELECT statement based on the parameters passed to it.  Typically, there is an input parameter for each input on the search form, which is rendered optional by adding "=NULL" after the parameter declaration (e.g., @orderId int=NULL).  Then, the sproc uses a series of statements such as

IF @orderId IS NOT NULL
 select @sql = @sql + ' AND order_id=' + @orderId
 
to generate the complete SQL statement.  At the end of the sproc, the EXECUTE statement is used to query the database using the dynamically generated SQL statement.

I remember what a revolutionary concept dynamic SQL in an sproc was for me when I was learning to write SQL.  It opened up a whole new way of writing SQL code and handling advanced searches on my websites.  But did you catch the security problem in the previous SQL statement?  I didn't at first, and in fact, I've been making this same security mistake for some time now.  It wasn't until I finally listened to Kim Tripp on DotNetRocks that I realized the problem (download the show from http://www.dotnetrocks.com/default.aspx?showID=75), and fortunately I only have a few sprocs to rewrite and fix this problem.

Look carefully at the statement again.  It looks like the parameter is being used in the SQL statement, but in reality, the parameter's value is being concatenated to the SQL statement.  The technique demonstrated above is no better than the technque we dismissed in the first paragraph.

After listening to Kim's show, I did some digging around, and found an excellent reference on how to handle dynamic SQL in search queries at http://www.sommarskog.se/dyn-search.html.  In this article, Microsoft Sql Server MVP Erland Sommarskog details ways to use dynamic and static SQL to perform searches that have a number of possible combinations of inputs.

As Erland shows us, the correct way to use dynamic SQL in the situation I presented above is to concatenate another parameter into the SQL statement, as so:

IF @orderId IS NOT NULL
 select @sql = @sql + ' AND order_id=@xorderId'

We then create a parameter list of these second parameters, as so:

SELECT @paramList = '@xorderId'

To finally execute the query, we execute a system sproc named sp_executesql.  As Erland states:

sp_executesql is a system procedure with a very special parameter list. The first parameter is a parameterized SQL statement. The second parameter is a parameter-list declaration, very similar to the parameter list to a stored procedure. And the remaining parameters are simply the parameters in that parameter-list parameter.

Our final statement would end up looking like:

EXECUTE sp_executesql @sql, @paramList, @orderId

And with this technique, our query is safe from malicious user input.  This whole process is outlined in detail in Erland's article.

Since writing sprocs as outlined in Erland's article can be tedious, I created a CodeSmith template that will do the work for you.  You only need to input the table you wish to query, and CodeSmith will generate a complete sproc for you.  You can then edit the sproc down, since it will include every column in the table.  You can find the template at http://www.ericjsmith.net/codesmith/forum/default.aspx?f=9&m=4346.

<update 2005-07-06: fixed DNR show link>

Microsoft MVP Susan "The SBS Diva" Bradley gives a short overview about sending encrypted e-mails.  In her post, she says you have to purchase a digital certificate.  From some certificate authorities, you may have to do so, but Thawte offers free certificates for e-mail through their Web of Trust program.  When your certificate is issued, the name on the certificate is "Thawte Freemail Member".  In order to have your name appear on the certificate, you need to get yourself notarized.  Basically, you meet up with a Thawte notary (I am one), who looks at two forms of identification and assigns you points.  You need 50 points to be notarized (I can assign up to 35, the maximum allowed), and then your certificates will contain your name.  There's more information at the WOT site at http://www.thawte.com.wot.

In a recent posting to the aspnet-security group at ASP Advice, Julie Lerman asked:

Since the site is hosted on someone else's server, I don't believe that I can use DPAPI to encrypt the connection strings

Actually, you can, and I use DPAPI on a number of sites in shared hosting environments.  I typically use the machine store as the data protection store, rather than the user store, but that's a personal habit when looking at the shared hosting environment.

One downside to the machine store is that anyone who has access to the same server can decrypt your application settings, unless you set an entropy value.  In my sample project, I set the entropy when the DPAPI helper is instantiated.

I mentioned I had a small project I use to encrypt connection strings using Carl Franklin's DPAPI helper.  All I do is upload two DLLs and my ASPX to the site I'm working on, enter the connection string (or whatever), click Encrypt, and copy the output to the web.config.  When I'm done, I delete the DLLs and page so no one accidentally finds them.  You can find my little project at http://rjdudley.com/projects/dpapi_example.zip.

To use my little project:

1. Download and unzip Carl's DPAPI helper from http://franklins.net/dotnet/.
2. Download my dpapi example from http://rjdudley.com/projects/dpapi_example.zip.  Unzip it to c:\inetpub\wwwroot\dpapi.
3. Create an IIS application named dpapi (address will be http://localhost/dpapi) that points to c:\inetpub\wwwroot\dpapi. 
4. Open the solution file in VS
5. Add a reference to the DPAPI Helper DLL, found at <install>\DPAPIHelper\bin\DPAPIHelper.dll.  Make sure to use the dpapihelper.dll!  There is also a dpaphelper.dll (missing an 'i' in the name), and I'm not sure what that's for.
6. Recompile the project.
7. Deploy the dpapihelper.dll and dpapi.dll to the site's BIN folder, and dpapi.aspx to the site's root folder.
8. Load the dpapi.aspx page, and encrypt on!

Drop me a line or leave comments with any Q's.

<update 2005-06-16>To use the DPAPI encrypted strings in your application, you need to include two lines of code, one is the constructor that starts “DIM dp...”, and the other is the dp.decrypt method call.  In the constructor, there is a short string passed in as a function argument.  This argument(sometimes called an “initialization vector“ or “secondary entropy“ or just “key“, I'm not 100% sure of the exact correct term so anyone works for me) has to be exactly the same in your app as in the DLL used to encrypt your strings.  Otherwise, you won't be able to properly decrypt the information in your app.  I recommend changing the entropy if you use this example, and use a different one for each site.  Remember also to leave the DPAPIHelper.dll on your site if you plan to decrypt the encrypted values.</update>

The Wall St. Journal has an article today about one step Bank of America is taking to thwart phishing attacks:

First, the bank allows customers to "register" frequently-used machines, such as a home or office PC, with its online system. When customers use one of those computers to access the site, they are shown a picture after entering a username. If the picture matches the image the user chose when setting up the account, the customer knows they are in the right place, and then enters a password to access accounts.
 
When customers try to access accounts from a computer that Bank of America doesn't recognize, the image doesn't appear. Instead, users must answer a challenge question, like "What was your high school mascot?" The bank tracks computer IP addresses and also uses cookies to identify PCs.

The on-line article has a nice graphic that shows the UI part of the process.  It looks like if you save the cookie in your computer, you'll go straight to the photo or challenge question, after which you can enter your passcode.  Otherwise, you'll have an additional step of entering your user ID.

I have a love/hate relationship with those CAPTCHA tests on websites.  I understand why, and am fascinated at just how good the human mind is at pattern resolution.  Yet, they're additional typing.  Anything to foil a spambot I guess.

I was looking into adding a test into a project of my own, and I came across these references.  Examples of the first article are shown beneath it.

15 Seconds : Fighting Spambots with .NET and AI

This article explains how intelligent applications from Carnegie Mellon University and Berkeley researchers counter auto registration spam programs and how to build your own using ASP.NET & XML Web services.

 

A Generic CAPTCHA Image Tester

What's unique here is my implementation - it's generic enough to use in a classic ASP page, or in an ASP.NET page, it does NOT require the use of Session State, and that's what makes it more useful. The key here is that we use an aspx page to generate the image, and we simply make our image tag's src property point to this page.

The Code Project - CAPTCHA Image - ASP.NET

This article demonstrates how to create such an image and employ it within an ASP.NET web form.

The CAPTCHA Project Website - CMU School of Computer Science

CAPTCHA.NET is the homepage of CMU's CAPTCHA Project

Formshield is a free .NET CAPTCHA control available at http://dotnetfreak.co.uk/blog/archive/2004/11/06/166.aspx.

Many thanks to Kevin Gearing!  There are some samples as well--very cool.

FormShield started out as a simple project with just one aim - to prevent automated form submission using dynamically generated images.

Not exactly a new idea - dynamically generated images requiring the user to enter the text found on the image have been around for quite a while (see http://www.captcha.net/), preventing automated sign-ups to free e-mail services such as HotMail and Yahoo, and automated whois lookups on domain names on sites such as Network Solutions.

Whilst some code exists on Code Project (http://www.codeproject.com/aspnet/CaptchaImage.asp), there didn't however seem to be a free, easy-to-use and customisable control for ASP.NET with full designer integration that could generate the relevant images. So, looking for an excuse to delve into GDI+, FormShield was born and my idea of a 'simple' control was dropped...