Wednesday, October 27, 2004

Yeh !!!



My Security Blog has 100+ posts !

Tuesday, October 26, 2004

MSDN Magazine November // security //

" Read this month's MSDN Magazine,
focus on SECURITY "
November 2004
Download the complete code from this issue:
MSDNMag0411.exe (1,868 KB)


Download this complete issue in HTML Help format:
MSDNMag0411.chm (1,274 KB)
NOVEMBER 2004Volume 19 Number 11
Read Online

most popular password ???

What's the most popular password ???

On average, the human brain can hold only five to nine "random bits of information" in short-term memory. Considering the brain's limited capacity and the sheer number of secret names, codes, and words a person needs to remember in this password-protected age, it's no surprise that the most common password is simply "password."

Besides serving as an easy-to-remember code for less-creative computer users, "password" is often used as the default password for many web sites and programs, making it extremely common and not at all secure. In other words, "password" is a bad password.

Other perennial favorites include "God," "sex," "money," and "love." Passwords based on the names or birthdays of partners, children, or pets are also quite common. Here's a pretty lengthy list of common passwords. Make sure to scan it and look for yours. If yours made the list, it's probably a good idea to change it.

source: AskYahoo!
check if ur password is among the common passwords used!

Monday, October 25, 2004

Security Report: Windows vs Linux

A security report detailing the Design, Security and Severity Metrics of both windows and linux. also contains comparision of recent 40 patches for both OSs in a big table. ( u might want to increase the browser text size to read that )


Me, Geekswithblogs


Yes !!!, i now hav a blog on GWB .
My new blog will be a Technology Blog thats going to compete my security blog.

My security blog continues...
http://www.secureblog.net

My Technology blog:
http://www.geekswithblogs.net/umesh

Friday, October 22, 2004

SPAM ( now and again )

[updated:25/08]
How do u get SPAMMED:

Spammers get your email address from various advertising sites
(ever subscribed hoping to get free gifts, etc.) also from your profiles, forums, groups and even Search Engines. SpamBots work 24/7 scanning google and other search engine pages resulting in a DB of all our email addresses for spammers to spam, few search engines like google tries its max not to list any email address resulting from its search but many of us post our email address on yahoo and msn profiles don't we !!! apart from that many groups and forums sites inc. yahoo ! and msn :( have no protection against these spambots, i.e. our email address is free to be scanned and copied!

some forums have email protection employed check out www.computing.net site, u can post get replies to the post to your email address to but spambots cant scan the email address since they are not displayed hence your email address are safe to use hope msn & yahoo get this ON soon on there groups seeing the amount of spoof-mails that are getting posted everyday. and then we have Trojans nasty little worms few of which which even spam all friends in our address book resulting in a spammed chain

so next time don't curse spammers if u are getting spammed !!! because we are equally responsible.

Here are some tips to keep spam away from your email :

  • why would anyone get free gifts from an unknown source for no reason ??? believe me nothing for free on net ( unless its on HTTPS and is verified by eTrust and has a good PRIVACY Policy. LOL ) don't fall for it and register your email address they are the abyss to Spamdom !!!
  • Don't post your email in your profiles or any other public site unless u are trying to get the attention of spammers.
  • Keep yahoo and msn groups closed for public access else spambots can access and scan for email addresses in the group.
  • If u must post your email address OPEN then post that of an alias or an email forwarder address so that u can delete it once you start getting spam for that email check out yahoo's spam protection email service or use a free email address for all your web-posting and other activities else waste time and money cleaning spam's from your valuable personal and company's mailboxes
  • If u are using email clients to download your mails never open an attachment unless scanned by AV
  • ever seen any links on spams sayin click here to unsubscribe well if u dint subscribe then how wud u unsubscribe ?!? dont click on any links of the spam mail it just validates ur email address. else get ready for MORE... SPAM
  • anybody (webmasters) who wishes to display their email address can paste a image of their email address or use tags like [at] instead of @ for posting their mail address to avoid gettin scanned by spambots as they generally search for [ x@y.general extentions ] format to SPAM

How to know if u are spammed ??? well, u will know !!! your junk folder would get 100's of mails your friends will receive spoofed attachments with your mail address, etc etc its just the begining..., wish to handle spam !!!
read this "Handling unwanted e-mail (spam)".

Read more abt spam... ( do's and don'ts )




THIS POST IS DEDICATED TO MY FIRST GMAIL SPAM, LOL :)

GSpam


Its been ~ 7 months since i started using GMail & Today i got my first spam mail!
believe it "7 Months - Spamfree" just proves how spamfree one can be just by being careful with distribution of their email-address.
so next time instead of cursing spam try to keep ur email-address secure => better way of being spamproof.

Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users


[from msdn security development center]

Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users

Michael Howard

This article discusses:
Identifying and reducing attack surface
Reducing the amount of code executing by default
Reducing the volume of code accessible to untrusted users
Limiting damage if hackers do attack your code


ode fails. It's a sad fact of life. In the industry, we worry a lot about improving code quality. While code quality is exceptionally important, most code will eventually fail so we cannot focus exclusively on getting the code right. Imagine for a moment your code is perfect. It's only perfect by today's standards—a snapshot of best practices at the time it was developed. Yet the vulnerability research landscape is constantly evolving. Four years ago, integer overflow attacks were almost unheard of; now they are the attack de jour! Imagine broadening the scope to all the code you've ever delivered to customers.

Read the full article Here

Tuesday, October 19, 2004

Windows Server 2003 Security Guide

The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.

Monday, October 18, 2004

Microsoft and Cisco make security pact

Microsoft and Cisco Systems plan to work more closely together to improve IT security.

The world's largest computer software and networking firms announced, that they will share product information with each other to address the growing threat of malicious software.

The move will help allay previous fears that the two dominant technology firms were taking different approaches to security, potentially leading to interoperability problems when customers tried to integrate systems.

By sharing information the firms hope to achieve product compatibility between Cisco's Network Admissions Control and Microsoft's Network Access Protection, their respective endpoint security software products.

'Security is not an island,' said Cisco chief executive John Chambers. 'By working with Microsoft, Cisco is again demonstrating its commitment to taking every step possible to provide our customers with the industry's best tools and technologies for network security.'

Microsoft chief executive Steve Ballmer added: 'This important alliance with Cisco underscores Microsoft's ongoing commitment to creating a more secure computing environment for customers.'

Links : 1, 2.

Friday, October 15, 2004

Configuring SQL Server Security for .NET Applications

This article describes how to configure the SQL Server for .NET applications. By default, the SQL Server denies access to user accounts that have not explicitly been granted access to a database, a table, or a view. By default, ASP.NET applications run in the context of the ASPNET user account. Unless you permit access to the ASPNET user account, an ASP.NET application cannot read and cannot update data in an SQL Server database. This article describes the process that you can use to permit an ASP.NET application to have permissions to an SQL Server 2000 database.

Note You must give the ASPNET user account only minimal permissions to run. This limits the potential damage that may result to an ASP.NET application that is compromised by a malicious attacker.

[KB]

.NET Developer's Guide to Windows Security

The .NET Developer's Guide to Windows Security
by Keith Brown

Author Keith Brown crystallizes his application security expertise into 75 short, specific guidelines. Each item is clearly explained, cross-referenced, and illustrated by detailed examples. The items build on one another until they produce a comprehensive picture of what tools are available and how developers should use them. The book highlights new features in Windows Server 2003 and previews features of the upcoming version 2.0 of the .NET Framework. A companion Web site includes the source code and examples used throughout the book.

Topics covered include:

  • Kerberos authentication
  • Access control
  • Impersonation
  • Network security
  • Constrained delegation
  • Protocol transition
  • Securing enterprise services
  • Securing remoting
  • How to run as a normal user and live a happy life
  • Programming Security Support Provider Interface (SSPI) in Visual Studio.NET 2005

Battle-scarred and bright-eyed developers alike will find in The .NET Developer's Guide to Windows Security bona-fide solutions to the everyday problems of securing Windows applications.

Code SAMPLES Download Here.
Read the Complete Book @ Author's Site.
Buy the book : Bookpool, Amazon, Barnes & Noble.

Trustworthy Computing

Trustworthy Computing -> Ensure a safe and reliable computing experience

Trustworthy Computing Goals:

1. Security - The customer can expect that systems are resilient to attack, and that the confidentiality, integrity, and availability of the system and its data are protected.

2. Privacy - The customer is able to control their information and feel confident it is not only safe and used appropriately, but in a way that provides value to them.

3. Reliability - The customer can depend on the product to fulfill its functions.
Business Integrity The vendor of a product behaves in a responsive and responsible manner.


Microsoft Trustworthy Computing Framework - SD3+C:

1. Secure by Design — Improving architecture and engineering.

2. Secure by Default— Reducing attack service by disabling unnecessary functions.

3. Secure in Deployment — Ongoing protection, detection, defense, recovery, and maintenance through good tools and guidance.

4. Communications — Listening to customers and communicating clearly, openly, respectfully, and honestly.

For more info Refer here:

1. MSDN TV: Thinking About Security:
Secure by Design, Secure by Default, Secure in Deployment and Communications.
2. Trustworthy Computing White Paper - twc_mundie.doc.
3. Trustworthy Computing 2003 Year in Review.
4. The Privacy Source Guide - privsource.doc.

Thursday, October 14, 2004

Microsoft warns of 22 new security flaws

Microsoft on Tuesday published 10 software security advisories, warning Windows users and corporate administrators of 22 new flaws that affect the company's products.
The advisories, and patches published with the bulletins, range from an "important" flaw affecting only Microsoft Windows NT Server to a collection of eight security holes, including three rated "critical," that leave Internet Explorer open to attack. Microsoft's highest severity rating for software flaws is its "critical" ranking, while "important" is considered slightly less severe. One flaw, in Microsoft Excel, even affects Apple Computer's Mac OS X.

The abundance of flaws could leave corporate PCs vulnerable to attack if administrators are not able to patch quickly. A similar situation occurred in April, when Microsoft published seven advisories detailing 20 flaws. While one security hole stood out among those 20--and led to the widespread Sasser worm--there are no standouts in the current gaggle of goofs.

"Our challenge is trying to guess what the criminals are going to attack," said Stephen Toulouse, security program manager for Microsoft's security response team. "The guidance we are giving in general is to treat the critical ones first."A single computer would not be vulnerable to all the flaws, Toulouse added.

Oliver Friedrichs, senior director of Symantec's security response center, said three vulnerabilities could lead to a Sasser-like worm, but the danger is lessened by the fact that the vulnerable services are not started by default on most versions of Windows. These flaws are related to three network protocols that are not generally activated on Windows computers: Simple Mail Transfer Protocol (SMTP), Network News Transfer Protocol (NNTP), and Network Dynamic Data Exchange (NetDDE).

"Blaster and Sasser targeted core system vulnerabilities, where if you didn't have the patch you were vulnerable," Friedrichs said. "The key thing here is that these are not (generally) enabled by default.The question is how large is the deployment of vulnerable systems."
Microsoft rates the SMTP flaw critical only for Microsoft Exchange Server 2003. The NNTP flaw is rated critical for Microsoft Exchange 2000.

The other major class of flaws are those that affect applications on desktop computers, such as Internet Explorer and Excel. Threats to so-called client-side applications have been growing, Friedrichs said. Of the current crop of vulnerabilities, 12 fall into that category. Of these, Microsoft rated five critical: three of the eight vulnerabilities in Internet Explorer, as well as two flaws in Excel. Several of the flaws could be used to create Web content that would run a program from the Internet, if a victim could be lured to the malicious Web site.
Symantec raised its overall Internet Threat Condition to 2 from 1, on account of the newly released vulnerabilities.

Tuesday, October 12, 2004

SMURF ???

Wondering, What is a SMURF Attack ???

The SMURF Attack, named after its exploit program, is a denial-of-service attack which uses spoofed broadcast ping messages to flood a target system.

In such an attack, a perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply to each packet.

Several years ago, most IP networks could be thus used in smurf attacks -- in the lingo, they were "smurfable". Today, thanks largely to the ease with which a network can be made immune to this abuse, very few networks remain smurfable. http://www.netscan.org

To secure a network with a Cisco router from being used in a smurf attack, the router command no ip directed-broadcast will suffice.

Definations from google...

Google - define:SMURF Attack

A malicious attack where the hacker sends a large number of spoofed ping packets to broadcast addresses, with the intent that these packets will be magnified and sent to the spoofed addresses. This has exponential possibilities, depending on how many hosts respond. (link)

A Denial of Service attack that floods its target with replies to ICMP echo (PING) requests. A smurf attack sends PING requests to internet broadcast addresses, which forward the PING requests to up to 255 hosts on a subnet. The return address of the PING request is spoofed to be the address of the attack target. All hosts receiving the PING requests reply to the attack target, flooding it with replies. (link)

An attack against availability based in part on an attack on authenticity. Smurf uses a broadcast ICMP echo (ping) with a spoofed source address, resulting in a high volume of responses to the spoofed system. (link)

Sunday, October 10, 2004

Canonicalization ?!?

What is Canonicalization?
Canonicalization is the process by which various equivalent forms of a name can be resolved to a single standard name, or the "canonical" name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process by which such names are mapped to a name that is similar to c:\dir\test.dat.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content.
ASP.NET Vulnerability :

The issue is that ASP.NET is failing to perform proper canonicalization of some URLs.
it affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003.
An attacker can send specially crafted requests to the server and view secured content without providing the proper credentials. This reported vulnerability exists in ASP.NET and does not affect ASP.
To know more about this issue and recommended guidance on best practices visit
What You Should Know About
Reported Vulnerability in Microsoft ASP.NET
http://www.microsoft.com/security/incident/aspnet.mspx

Check this KB article - that provides prescriptive guidance on how to protect against canonicalization issues immediately on their site. This KB will help developers protect themselves on a per application basis. http://support.microsoft.com/?kbid=887459
The vulnerability was first reported on NTBugtraq.

ASP.NET ValidatePath Module :

Microsoft has released an ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft.

Microsoft updated the security site with the updated new information and guidance related to the reported ASP.NET security vulnerability.
*** All customers with any ASP.NET deployments, on any operating systems should follow the guidance provided. ***
To ease things up, Microsoft released a new HTTP Module mitigation best practice.
This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server. This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET.

* Download information
* Download the MSI directly

You can find the detailed guidance about the HTTP Module, how the MSI works, and how to deploy it etc in this KB Article: http://support.microsoft.com/?kbid=887289

Source : Arun

Saturday, October 09, 2004

Free Microsoft® Security E-Learning Clinics


Learn on your own schedule. At your own pace. In your own office.
Free Microsoft® Security E-Learning Clinics follow the same content outline as Microsoft Security Webcasts, but deliver that information via a learner-centered format that offers unique user benefits. With an E-Learning Clinic, one can access the security topic you want, when you want it, and learn at your own pace. Each lesson can be paused, and all security topics are indexed for fast and easy repeat use.

Sign on today for an E-Learning Clinic, get free information that can help you better protect your organization against security threats.In addition to e-learning clinics, there's also free Microsoft Official Hands-On Labs Online where one can perform security-related procedures in a safe, networked environment powered by Microsoft Virtual Server technology. Hands-On labs let you see for yourself how to implement the security best practices discussed in the clinics.Microsoft Security Hands-On Labs are also offered for free at participating Certified Partners for Learning Solutions. For these and other security training options, please visit the Security Program Guide.

Security Clinics & Labs

E-Learning:
Clinic 2801: Microsoft® Security Guidance Training I
Summary: This online clinic provides students with introductory knowledge and skills essential for the design and implementation of a secure computing environment. It also provides students with prescriptive guidance on security update management and best practices for implementing security on Microsoft Windows® server and client computers.
Audience: IT Pro

Clinic 2802: Microsoft® Security Guidance Training II
Summary: This online clinic builds on existing knowledge of server and client security and provides students with the knowledge and skills to apply best practices to implement perimeter and network defenses and enhance security for applications and Microsoft® Windows Server System™ components. It also provides students with prescriptive guidance to enhance security for Microsoft Windows® server and client computers and practical strategies for implementing security for wireless networks.
Audience: IT Pro

Clinic 2806: Microsoft® Security Guidance Training for Developers
Summary: This online clinic provides students with knowledge and skills essential for the creation of applications with enhanced security. Students will learn about the need for implementing security at every stage of the development process and best practices for applying security principles. Students will also learn how to use established threat modeling methodologies and tools with other best practices to minimize vulnerabilities and limit damage from attacks. Finally, students will learn how to implement security features to enhance security for Web applications and Web services that are built by using Microsoft ASP.NET.
Audience: Developer
Hands-On Labs:
Hands-On Lab 2811: Applying Microsoft® Security Guidance Training
Summary:This hands-on lab allows students to apply information and guidance that can help improve security in a network based on Microsoft Windows®. Students can perform tasks related to security update management and implementing security on Microsoft Windows® server and client computers.
Audience: IT Pro