Monday, January 31, 2005

A security option in IE you may wish to change !

I just picked up some very interesting information via colin's blog.

It seems that in IE javascript can extract data out of your clipboard. It doesn't work with FireFox either because the feature is not supported or off by default. Luckily, it is a security option and it can be disabled.

  • Go to Tools --> Internet Options...
  • Click on the Security Tab
  • Select Internet Zone and then click Custom Level...
  • Scroll down to the scripting section and see "Paste operations via script"
  • Change the value to Prompt or Disable

Can't Believe what i am saying, see it in action by copying some text, and clicking the link: Show clipboard contents 

Only IE and other IE based browsers are @ risk, like Maxthon / MyIE2, no probs with firefox,netscape,etc...

SQL Injection Attacks and Some Tips on How to Prevent Them

Introduction

Security in software applications is an ever more important topic. In this article I discuss various aspects of SQL Injection attacks, what to look for in your code, and how to secure it against SQL Injection attacks. Although the technologies used here are SQL Server 2000 and the .NET Framework the general ideas presented apply to any modern data driven application framework, which makes attacks potentially possible on any types of application that depends on that framework.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are two main types of attack. First-order attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email. Second-order attacks are when the attacker injects some data that will reside in the database, but the payload will not be immediately activated. I will discuss each in more detail later in this article.

Read the full article

More Links:
SQL A to Z Here: www.extremeexperts.com
SQL Server DO's and DON'Ts
Unauthorised access to a SQL Server, and how to prevent it

Thursday, January 27, 2005

Keeping Secrets Secret: Steganography with .NET

Steganography is a way to protect information by hiding it "in plain sight" within other types of digital content. Steganography complements rather than replaces encryption by adding another layer of security -- it's much more difficult to decrypt a message if you don't know that there is a message. See how to leverage .NET to create steganographic techniques that hide encrypted information inside common digital data files.

teganography, literally "hidden writing," is nowadays most often associated with embedding data in some form of electronic media. Data is hidden by adding or altering insignificant bits of information of a file. For example, an algorithm designed to embed a text message might slightly alter information describing the RGB composition of a pixel for an image file.

This article illustrates a typical steganography (or stego) application scenario. The application receives the data to hide as input -- text, audio, video, or image -- and the file in which data will be hidden, called the cover file. The stego file is the result of the process. Although it contains the original cover file data as well as the hidden stenographic information, the stego file is virtually identical to the cover file.

This article introduces the most common stenography algorithms and techniques. Then, it shows how to design and implement a .NET library to hide text messages in 24-bit bitmapped (.bmp) files. The sample code includes both a command-line and a GUI application that serve as proof of concept and let you experiment with the techniques discussed.

Page 1: Introduction
Page 2: The Stego Library
Page 3: The BMPCoverFile Class
Page 4: The BMPStegoFile class
Page 5: Building Client Applications

Implementing Encrypted SQL Server Database Columns with .NET

Many government agencies needing HIPAA compliance, such as HUD, require encryption of certain database columns. For systems tracking victims of domestic abuse, it's critical to encrypt personally identifiable data. Fortunately, implementing encrypted database columns is simple using .NET and SQL Sever 2000.

by David Talbot

Page 1: Introduction
Page 2: Introducing AES Encryption
Page 3: Applying AES Encryption to Databases
Page 4: Encrypting and Storing a Record
Page 5: Finding and Decrypting a Record

Wednesday, January 26, 2005

Harden MS Reporting Services Using Custom Extensions

An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.

by Teo Lache

Page 1: Introduction
Page 2: Internet Reporting
Page 3: Understanding RS Forms Authentication
Page 4: Introducing the Adventure Works Portal
Page 5: Setting Up the Forms Authentication
Page 6: User Authentication
Page 7: User Authorization

Vulnerability on .Text Blogs

Click here to read my article on " Vulnerability on .Text Blogs "

Highly Recommended !

illustrations of this Vulnerability are also shown.

Discovery of this Vulnerability by:
Thota Umesh # 24/01/2005.

Saturday, January 22, 2005

Digital Black Belt Webcasts: Defend Your Code from Attacks

Hackers are busier than ever. Do you know how they attack? Is your code ready to stand up against those attacks? If you answered no to either of these questions, join us for the Digital Blackbelt webcast series as Developer Community Champion Joe Stagner discusses security risks, vulnerabilities, and solutions from the software developer's perspective. We will provide real-life examples and security tips and tricks that can help you gain the knowledge and techniques to become an experienced blackbelt in writing secure code.

Bonus: Be one of the first 300 to attend six live webcasts in this series (and submit an evaluation) and you will receive an official Microsoft security blackbelt!* And by attending a live webcast in this series and submitting an evaluation, you will qualify to win a Portable Media Center (official rules) pre-loaded with our (ms) best security webcasts!

MSDN Webcast: Digital Blackbelt Series: The Software Security Crisis: Selling Management on the Need to Invest in Secure Software Development (Level 100)
MSDN Webcast: Digital Blackbelt Series: The Software Security Crisis: Selling Management on the Need to Invest in Secure Software Development (Level 100)

Friday, February 4, 2005 11:00 A.M.-12:00 P.M. Pacific Time, United States and Canada (UTC-8)

Tune in for an introduction to the Digital Blackbelt Series. Learn about the evolving "Secure Culture" at Microsoft Corporation and how your company can save money by spending defensively.

MSDN Webcast: Digital Blackbelt Series: Building an Intentionally Secure Development Process (Level 200)
MSDN Webcast: Digital Blackbelt Series: Building an Intentionally Secure Development Process (Level 200)

Friday, February 18, 2005 11:00 A.M.-12:00 P.M. Pacific Time, United States and Canada (UTC-8)

Tune in for a discussion of organizational considerations, process hierarchy, lifecycle management and support tools. This will be the framework that you will use to organize and insure secure technologies.

Friday, January 21, 2005

I,Secure

Browsing the Web and Reading E-mail Safely as an Administrator, Part 2 Browsing the Web and Reading E-mail Safely as an Administrator, Part 2
Michael Howard builds upon his previous article by showing you how to use SAFER with local or enterprise policy to reduce potential threats when running as an admin. (January 17, Article)

Use Role Based Security with the Web Services Enhancements 2.0 Use Role Based Security with the Web Services Enhancements 2.0
See how WSE 2.0 integrates X.509-based WS-Security authentication with role-based security features in the Microsoft .NET Framework, and how to use WS-Policy in WSE 2.0 to greatly simplify tasks. (January 17, Article)

Guidance on Patterns & Practices: Security Guidance on Patterns & Practices: Security
Keith Pleas discusses how to create secure applications on the Microsoft platform with patterns & practices guides described in this article. (January 15, Article)

Wednesday, January 19, 2005

TulaFale: A Security Tool for Web Services

TulaFala looks pretty interesting. Its the part of the Samoa Project i blogged abt in the earlier post visit http://securing.ws/,Site also contains tons of links to resources dealing with web services and security related aspects.

Download : TulaFale: A Security Tool for Web Services

Samoa: Formal Tools for Securing Web Services

 
  Microsoft Research, Cambridge

 An XML web service is, to a first approximation, a wide-area RPC service in which requests and responses are encoded in XML as SOAP envelopes, and transported over HTTP. Applications exist on the internet (for programmatic access to search engines and retail), on intranets (for enterprise systems integration), and are emerging between intranets (for the e-science Grid and for e-business). Specifications (such as WS-Security, now at OASIS) and early toolkits (such as Microsoft's WSE product) exist for securing web services by applying cryptographic transforms to SOAP envelopes.

The underlying principles, and indeed the difficulties, of using cryptography to secure RPC protocols have been known for many years, and there has been a sustained and successful effort to devise formal methods for specifying and verifying the security goals of such protocols. One line of work, embodied in the spi calculus of Abadi and Gordon and the applied pi calculus of Abadi and Fournet, has been to represent protocols as symbolic processes, and to apply techniques from the theory of the pi calculus, including equational reasoning, type-checking, and resolution theorem-proving, to attempt to verify security properties such as confidentiality and authenticity, or to uncover bugs.

The goal of the Samoa Project is to exploit recent theoretical advances in the analysis of security protocols in the practical setting of XML web services. Some early outcomes of this research include an implementation of declarative security attributes for web services and the design of a logic-based approach to checking SOAP-based protocols.

Read More

.NET Security Guidance Links

Application Security Webcast - Slides

Supporting Artices from the Security Webcast

MOM 2005 Security Without Active Directory

You Can Use MOM 2005 Without Active Directory
    Unfortunately, it was not made clear in the MOM 2005 documentation, but you can deploy and successfully use MOM 2005 without Active Directory. Although MOM 2005 installs and functions (for the most part anyway), there are a few features that are not available without AD. I will concentrate upon the security features right now, but there are other features, such as Discovery, that are either not available or are affected in some way without AD.

The Security Features Not Available without AD:

  • Mutual authentication - It will not be possible for MOM to have agents and Management Servers positively authenticate each other. This feature was offered to help mitigate man-in-the-middle attacks and spoofing attacks.
  • Reject manually installed agents - all manually installed agents will show up in the Pending Actions folder even if the feature is selected. This feature was offered to help mitigate rogue administrators installing agents without, or even against, IT policy.
  • Prevent agent proxying - agents will not be blocked from sending data form other computers or network devises. This feature was offered to help mitigate spoofing attacks and certain DoS attacks.

The Security Features Still Available without AD:

  • Block Legacy Agents - You can still block pre-MOM 2005 agents form communicating with the Management Server.
  • Secure Communications Channel - this encryption channel between the agents and the Management Server does not require AD.

What does this mean? Basically, this means MOM 2005 will be less secure in these respects and I know of no way to use other means to substitute these intended mitigations. In today’s security-conscious world, I thought all should be aware of this.

Note - The MOM Management Server must do not have to be a member of a domain. For more information, see the MOM 2005 Supported Configurations document either on the product CD (root/RelDocs/SuppConfg.htm) or online .

Note about the above note - OK, the MOM servers (Management Server, Database Server, and Reporting server) do NOT have to be in an AD domain.

For more information about these features and MOM security in general, see the MOM 2005 Security Guide

(Download or TechNet)

Moral of the story - Use Active Directory

Via James Morey

Tuesday, January 18, 2005

Windows worm travels with Tetris

Screengrab of Cellery in action, Sophos
The version of Tetris is recognisable and just as playable
Users are being warned about a Windows virus that poses as the hugely popular Tetris game.

The Cellery worm installs a playable version of the classic falling blocks game on PCs that it has infected. While users play the game, the worm spends its time using the machine to search for new victims to infect on nearby networks.
The risk of infection by Cellery is thought to be very low as few copies of the worm have been found in the wild.

Protect yourself

The Cellery worm does not spread via e-mail like many other viruses. Instead it browses computer networks for PCs that have not shut off all the insecure ways they connect to other machines.

When it infects a machine, Cellery installs a version of Tetris that users can play. As the game starts up the worm also starts a music file to accompany it. At the same time the virus starts scouring networks for other vulnerable machines. The virus does no damage to machines but heavily infected networks could slow down as scanning traffic builds. Productivity may suffer too if users spend time playing Tetris.

PCs running Windows 95, 98, ME, NT, 2000, and XP could be vulnerable to the worm.

"If your company has a culture of allowing games to be played in the office, your staff may believe this is simply a new game that has been installed - rather than something that should cause concern," said Graham Cluley, spokesman for anti-virus firm Sophos.

So far the number of people infected by Cellery is thought to be very small and the risks of further infection is very low. Sophos urged users and companies to update their anti-virus software to keep themselves protected.

Monday, January 17, 2005

Swap Data More Securely with XML Signatures and Encryption

 TRUSTWORTHY CODE

Exchange Data More Securely with XML Signatures and Encryption
By Mike Downen and Shawn Farkas
Parts of this article are based on a prerelease version of the .NET Framework 2.0. All information pertaining to those sections is subject to change.

This article discusses:
  • XML Signature and XML Encryption standards
  • Digital signing and encryption features in the .NET Framework 1.x and 2.0
  • X.509 certificate integration

This article uses the following technologies:
XML, .NET Framework, C#, Security


Code download available at:
XMLSignatures.exe (241KB)


 

The XML Signature and XML Encryption standards are being used extensively as building-block technologies. MicrosoftOffice InfoPath uses XML signatures to sign partial or whole forms. Web services use XML signatures to sign SOAP messages and XML encryption to encrypt them. The XML manifests for ClickOnce based applications, new in Visual Studio 2005, also use XML signatures. The .NET Framework 1.x includes an object model for the XML Signature standard, and the .NET Framework 2.0 adds additional support, while adding an object model for XML encryption as well. This article explains the XML Signature and XML Encryption standards and shows you how to use them with .NET. For the actual XML Signature specification, see the W3C standard at XML-Signature Syntax and Processing.

Read the full article

Sunday, January 16, 2005

Nightmare !!!

How to get rid of ur worst nightmare (worms on ur system!)

Say you left your system to complete certain download tasks or to update itself when you come back, your firewall is crashed and u have a nasty worm/spyware on your system,
ever experienced a scenario where your trusted antivirus software cant help u, what do u do ???

well, the general answer would be I would check for the tasks/processes running on system to evaluate any suspicious activity u might use taskmanager or winspy etc then what ? this oneliner lol, is the most frequent one to my tech-support calls from my friends and friends of friends & ...

" i kill the task and it pops back again, i delete the file and it comes back again"

well we all have experienced that havn't we, so here's certain things to do / not to do

First restore your firewall (else disconnect from internet) to avoid further welcoming other malware! 

TIP: if u cant disable the internet from the taskbar connectivity tab then stop/disable terminal services on windows services

Now, for many new spywares there removal requires special downloads to clean it off the system let us assume we dont have one on board and that the spyware effected HOSTS file (many do @least few of the ones i encounter'd) forget trying to access any antivirus sites and dont get surprised if u get routed to some other offensive page, So what to do before system goes critical!

TIP: its generally wise to hav a latest virii scanner and cleaners like stinger,etc to be burn'd into a cd for emergency

if we kill the task it pops back up also if u delete the file say c:\windows\system32\loadnew.exe (yaa its a spyware) it too pops back up so any solution ? 

TIP: many worms take the user's ignorance to their 'benifit of the doubt', u watch a process being run from sys32 directly u might leave it to do its nasty work, so generally almost 90% of spywares/worms get downloaded to sys32 or win folder. dont fall for it!

Answer to this problem would sound funny but actually works better than the classical
{list the path of the file-reboot to dos-delete the file} this is good @least used to be good until we got NTFS say even our primary drive (drive on which OS is installed)

TIP: it is not a good practice to hav OS drive partitioned into NTFS as its timetaking and troublesome to fix any problems like the one above and many many more... 

taking the worst of worst case scenario lets consider we have a NTFS Primary drive so generally the only EXTREME alternatives i find people to be talking is - to either FORMAT or to make ur hardisk into slave run an antispyware scan from a different OS  etc, etc WORSE would be to run it ignoring the spyware! Coming back here is the answer what to do:

COPY CON IT :) Yes! create a file with the same name and make it a read-only and hidden file!

Example:

say my firewall failed and i got a headache spyware downloaded to my system "c:\windows\system32\loadnew.exe"

first terminate the process in the memory use taskmanager or winspy

next delete the file listed in the path u read on taskmanager or winspy. (if u wish to experiment rename it into a non executable extension!)

NOW CREATE A DUMMY FILE WITH THE SAME NAME AS SPYWARE

I USE CMD SHELL: copy con c:\windows\system32\loadnew.exe

what do u have/type in that dummy file ? Well, u can have/type your name LOL

then convert the file to hidden and read-only just as a precaution.

Once this is done be sure to get an application error even before u launched anything saying - "c:\windows\system32\loadnew.exe" is not a valid win32 file.

this is because the worm initially writes into the windows registry for auto-starting itself once its process is terminated but here when the process is restored or attempted to restore it launches a file with your name LOL, and since the file already exist the worm would not try to replace the file (remember the precaution thats for - if it tries)

Remember this procedure is only to get rid of the worm and to access internet for downloading of the removal tools remember u still have some registry to clean.

TIP: it is good to make your HOSTS file to read-only this will LIMIT the extent of any worms damage and ease up restoration and cleaning activity

Article details:
Name : ER from Spyware
level   : Anyone

No more a Nightmare ;) lol

Saturday, January 15, 2005

Trojan WMVs download a dictionary of spyware Beware!!!

PandLabs says it has seen most of these copies out on peer-to-peer networks, but warns that there is nothing preventing them turning up in email attachments or burned to a CD.

Ironically, those at risk are Windows XP users with Service Pack 2 installed and the latest version of WIndows Media Player - version 10.

However, most antivirus companies began offering protection against these viruses around 5 January, so users with up to date protection should be safe.

Hardening Your Web Server

 There are a number of procedures u can typically follow in preparing Web servers to go live on the Internet:
  • Always keep security patches up to date. Applications to check include the server OS, IIS, SQL Server, FrontPage, Office, and SharePoint Team Services. notify customers when u get new security bulletins.
  • Run the Microsoft Baseline Analyzer tool on the server until all patches are complete and other exposures are minimized; then run the IIS Lockdown Tool and URLscan wherever possible.
  • Enforce the use of role-based security and strong passwords on everything and everyone who can change anything on the server.
  • All content sites are housed on a different hard drive than the OS and other key resources. Different customer's sites are housed in separate unrelated directory structures. Disaster and recovery procedures should be in place and in practice for every server.
  • All sample sites and unused sites (like the IIS admin and the default site) are removed or incapacitated. All unused applications and services are removed or disabled.
  • The server is behind a firewall with all ports closed except the ones I use.
  • Use host anonymization software like ServerMask from Port80Software. This hides the server's identity, vendor, and version in the host header from malicious hackers.
  • Proactively test customers' applications to make sure that there are no obvious security holes. In addition to testing their applications from the browser,
    for testing Web application vulnerabilities: GreenBlue Inspector lets me view request and response headers, cookies, and forms input. It also lets me test for buffer overrun vulnerabilities and SQL injection vulnerabilities, two of the most common security failures in Web applications. (See the Resources box at the end of this article and the Toolbox column in this issue.)
  • Always keep a watchful eye on your server's logs.
Resources

 Honey Pots and Other System Security Strategies
  The Honeynet Project
  Honeypots Solutions
  snort_inline
  Microsoft Security Support

 General Security Tips
  Network Abuse Clearinghouse
  Building and Configuring More Secure Web Sites
  How IIS Authenticates Browser Clients

 Using Host Headers to Set Up a Multihomed Server
  www.winnetmag.com/Article/ArticleID/7176

 How to Build a Web Development Environment
  www.winnetmag.com/Article/ArticleID/7403

 Interpreting Your Log Files
  Troubleshoot Kerberos-Related Issues in IIS (Including error codes)

 Useful Tools
  Microsoft Baseline Security Analyzer
  IIS Lockdown Tool with URLscan
  Ecyware GreenBlue Inspector
  Web Server Anonymization and Obfuscation and Other Useful Tools

Beat Hackers At Their Own Game With A Hackerbasher Site

Beat Hackers At Their Own Game With A Hackerbasher SiteBeat Hackers At Their Own Game With A Hackerbasher Site
Learn a strategy that will divert port 80 attacks away from unsecured public Web sites into a dead end where they can't do damage.

  • Prevent automated attacks from reaching legitimate Web domains
  • Automatically divert attacks into a dead end
  • Get a single log that shows all attack traffic
    • Are u under a barrage of attacks ??? hackers and crackers with automated IP port scanners can swamp a Web site with bogus requests and failed logons.The sheer volume of this traffic can reduce response times and overload service request logs. Failed logon attempts (sometimes several hundred in a minute) can obliterate legitimate security reporting in the event viewer. Even if the hacker never gains access to anything, your Web site suffers. I use several procedures to minimize the attack surface. But even after hardening the server and putting it behind a firewall, it is still vulnerable to attacks on port 80.

      Figure 4 Failed Logons from an Automated Attack
      Failed Logons from an Automated Attack

      Many of these attackers appear to be crackers,thrillseekers who simply want to break into something. Crackers usually sniff around for the obvious stuff such as unsecured databases and leftover developer sample files. Obviously, some attackers are on a mission to get in and do damage.

       In this article, an easily implemented strategy is presented that uses HTTP 1.1 host headers to divert port 80 attacks away from unsecured public Web sites into a dead end where they can't do damage. the site, called Hackerbasher, stops the automated attack and records the details about the attack along with the IP address used by the attacker. Hackerbasher doesn't require any special software and its only cost is the time it takes to set it up on your server. You also get the added benefit of being able to monitor port 80 attacks in a single log file. 

      READ THE FULL ARTICLE

      So how do we track down these people? One way is to use a honeypot: an information system resource intended to receive unauthorized or illicit use. The Honeynet Project was set up so that the good guys can watch and analyze what hackers do. The Honeynet Project reports that the average life expectancy of a honeypot on the Internet is 72 hours. The shortest known manual compromise time was 15 minutes, but a worm got the job done in 15 seconds.

      I,Secure

       

      Harden MS Reporting Services Using Custom Extensions
      by Teo Lachev
      An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.


       

      Implementing Encrypted SQL Server Database Columns with .NET
      by David Talbot
      Many government agencies needing HIPAA compliance, such as HUD, require encryption of certain database columns. For systems tracking victims of domestic abuse, it's critical to encrypt personally identifiable data. Fortunately, implementing encrypted database columns is simple using .NET and SQL Sever 2000.


       

      Protect Yourself from PHP Worms
      by Laurence Moroney
      Don't just change your code to protect yourself from attacks such as the Santy or PHPInclude worms ---- change your tactics.

       

       Demo: Adding Security to Web Services
      Security is an important concern when using Web services in an enterprise. This demo shows you how security is added to a Web service invocation by modifying the Web service deployment descriptor. Three different security techniques are demonstrated:
      Basic authorization; Signing a SOAP message; and Encrypting parts of the SOAP message. View the demos in this two-part series.

      Sunday, January 09, 2005

      Hackers Sniffing For Vulnerable Microsoft Servers

      A vulnerability within Microsoft's WINS (Windows Internet Naming Service), a component of popular server software such as Windows Server 2003, has been heavily exploited since the last day of 2004, several security organizations reported Tuesday. (jan 4th)

      Although the vulnerability was patched in mid-December by Microsoft, the Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) at the Indiana University have seen a drastic increase in the number of probes directed at WINS services (TCP and UDP ports 42). "Patching these systems is now overdue," said the SAN Institute's Internet Storm Center in an online alert.

      "Additionally, WINS services probably should not cross your border router...so block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this," the Center continued.

      The patch for the WINS issue can be found on Microsoft's Web site.