My Security Blog

iPhoned..

2010-04-17T11:52:00.000+05:30

A simple javascript to point the blog to its feed when opened via iPhone and rest is taken care by apple. (reader.mac.com). check out the source for the code.

Anyone noticing a conundrum in this post.. lol.

thats why.. lol…

2010-04-16T11:45:00.001+05:30

Panda Cloud Antivirus !!!

2010-04-09T13:10:00.004+05:30

Interesting! Confusing! and Free!
thinking.. Jedi vs Seth ~ Cloud vs BotNET, lol…

Panda Could Antivirus, an interesting, a bit confusing free antivirus solution, Would have been nice if i dint have to UNINSTALL EXISTING ANTIVIRUS TO INSTALL PANDA CLOUD!!! I hate it when AV’s do that!!! so try only if you have time and patience to… Uninstall – Reboot – Install – Possibly a reboot - Reinstall - Definitely a reboot – Done… or are you ? Any major OS updates resets the AV into reinstalling it, this may drive you crazy or you may just wanna try it on a VPC would be great if your VPC is slow. I would consider this an experimental build or a beta at best! and hence wouldn’t want this alone on my pc. but true to its word it does have a very low memory footprint 2MB!!! wow!!! and panda is a good AV, but Cloud obviously needs to be connected to work better and this is bad!!! Remember worms do block websites so that they cannot be cleaned!!! Not too bad it only asked to be connected sometimes in random, Panda: “aah... well i dont let you get infected in the first place and if u do i have a command line scanner too but no no other antivirus allowed !!!“ bad panda! lol…

First Impressions: the look is pretty dumb there is nothing, absolutely nothing to configure! You wouldn’t even know if it can scan archives, it doesn’t; if its workin and it does work!! Other than assuming the user to be dumb, well what else to assume with a dumb looking UI, no documentation to make sense how it works rather than what it is! Searching forums help here! Think its an ok solution but a lot of scope for improvement and a has a great potential to be, Need to Evolve More lol.. May be this is how we can get rid of all the junk (bots, worms, trojans, viruses; well they are toxic waste of the cyberspace). Think of the collective finds!!! Well atleast panda’s gonna have a huge collection of sure shot signatures as a rain/result from this cloud! Anyways Avira’s back (installed it after installation of panda lol…) and both are running pretty good, not much load at all! Avira and Panda keeping watch together, Panda holding an Umbrella lol…

Well a Cloud Antivirus is probably good for systems on enterprise networks (always on, always connected and clean network) And for PC ? may be..

I do like the panda icon on my taskbar ;)

Thought: Was it a Cloud or a botNET that SKYNET spreads into… let me know when t1000 arrives!!!

BEST BROWSER (*FIREFOX) ADDONS!!!

2010-04-05T01:10:00.001+05:30

If you don’t already have these two set them up at once!

NoScript: The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

https://addons.mozilla.org/en-US/firefox/addon/722

AdBlockPlus: Annoyed by adverts? Troubled by tracking? Bothered by banners? Install Adblock Plus now to regain control of the internet and change the way that you view the web. You can also choose from over forty filter subscriptions to automatically configure the add-on for purposes ranging from removing online advertising to blocking all known malware domains.

https://addons.mozilla.org/en-US/firefox/addon/1865

WOT (Web of Trust): Would you like to know which websites you can trust? The WOT add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which websites you can trust when you search, shop and surf on the Web. Protect yourself from online scams, sites with adult content, spam and other Internet threats.

https://addons.mozilla.org/en-US/firefox/addon/3456

BORG!!! BOT!!! FIGHT!!!

2010-04-04T22:44:00.003+05:30

We are the Borg! You will be Assimilated! Resistance is futile!
Is your PC ~~BORG~~ BOT ? Just the Same!!! Just the Evil!!!

I dint quite came around talking about Bots before so here it is: In one of my boredom experiments i tested a new install (vista, not a test install but that’s another story, lots of others too soon..) just to see how just how long it takes to get a pc botted and surprisingly it went well i dint disable the inherent security features the OS comes with (Defender, UserAccessControl, Firewall) nor added any additional security features. It was not untill i disabled the UserAccessControl (Don’t do that! if u hate UAC nag screens like i do install security solutions and use limited account / UAC was disabled because i was impatient and i intended on getting the system infected faster not because it was 100% foolproof although an admirable feature security features should not be a nag) nyways it dint take long to get infected, Infection started from a legit file sharing site hosting a infected javascript file! ~ErrorBadMemoryRecallFailure~ another reason i should be blogging more! Viruses, Worms (check previous posts for them) and even Bots were ON within a few minutes of dumb surfing…

Btw, OpenDNS lets you know if you are botted:

BotNET’s are growing more and more they are considered a more lucrative business in underground communities, not that difficult to imagine why? There’s no direct link between the worm bot and the creator nor it would directly be causing menace no fear of a bounty on their heads no easy way to trace b’caz they are not profited directly, (not sure but i don’t think the bot will be silent if you are typing a 15,16 digit code (your cc number)) you are sold as a hive (millions of infected pc ~ a borg collective?) to do their bidding for just a few thousand dollars! implies each bot pc (well its no more your pc) is cheaper than a penny check out how spam works when Click Online acquires a botNET:

They even have a user interface to be controlled from (complete control over your the hive ~borg queen~) Spam, Keylog (send whatever you type), Bring down a website (DDOS) Attacks (thousands of bots hit a website making it inaccessible to anybody real), other yuck, yuck, etc…

Now if the question is what the Antivirus companies are doing well they are at work a few of the BEST can detect bots using heuristic methods but mostly antivirus depends on signatures of the viruses the way they detect them in simple terms antivirus (wbc) need signatures (antibodies) to kill them, cant get simpler than that lol.. now its practically impossible for the antivirus companies to recognise all the virus in the world especially when these bots can not only AutoUpdate bypass firewall and fool your antivirus but also use you (your pc) as a medium to spread more to your network your mailing list and so on!!! sounds scary isn’t it it is and the worst is most of them reside at ignorant Institutions and Organizations which should be the most secure! Follow these Guidelines for a safer computing!!!

PS: A Pulse Modulating Phazer kills the Borg!

GUIDELINES FOR SAFE COMPUTING:

2010-04-04T22:44:00.001+05:30

Welcome to Defense against the Dark Arts.. lol!

Use a LIMITED Account Always!
If this might be of any incentive its actually faster than an Admin Account.
Keep your OS and your Security Solutions Updated!
Do i need to say more bugs get pached so that you (your pc) are not venerable.
Don't Use illegal Software or cracks and warez! (trojan’s beware!)
Studies show that’s how many get infected in the first place and pass on!
Keep two Antivirus Solutions at hand (One Active Other on Schedule Scan preferably weekly)
Both being Active can result system slowdown! heatup! reduces your hard-disk lifespan! (as both the antivirus solutions will be fighting to scan everything parallel to what you are accessing. Nevertheless if you want them both ON use ones that are thou powerful but put on less load (like Avira) and keep a look out for two antivirus fighting between themself to kill a virus lol..
PS: DONT FORGET TO DISABLE ARCHIVE SCANING IN ATLEAST ONE OF THEM!!!
Use a Sandbox Software for testing new software's and solutions!
Two Advantages: One, keeps u safe from unwanted modifications to your system at worst an embedded virus probably not intentional by the developer but infected intentionally / unintentionally through the chain of hands it came to you (have a option of downloading than using an old copy on disk download u get newer version and less possibility of infection. Two, keeps your registry clean = faster PC.
Use Community Supported Antispyware Solutions!
Tells you if the file you are downloading is a safe one or not!
Enable DEP (Data Execution Prevention) and Use a Memory Firewall
Check my Previous posts on how to, only Free Memory Firewall Available is Comodo.
Firewall : Windows Firewall is …
Gud it blocks all inbound connections except ones u allow its better if you are on a limited account so no program tries to bypass it if all the applications on your system are clean if you are not already infected if… (Argh! to many if’s) Don’t use a firewall unless it can block and filter most of the incoming and outgoing junk itself without your interference meaning Windows Firewall is good, i love it for its simplicity but we need better! or stay in a clean network. Windows Firewall at best is a good filter put a firewall that’s a kick ass!!! if you don’t want to change use threatfire it will act like an addon increasing your security.
Additional Security and Added Solutions are useful!
Sensitive data on your PC is better stored encrypted, Lock the Folders from prying eyes and programs, Denied Access or change, this can be achieved by variety of applications available free to simple settings of NTFS Access Control Lists. (Note: NFTS Encryption can be cracked)
Don’t over do it!
Too many tools to manage ? Then use professional solutions like Avira Premium even Norton 360 will do (ya, ya, i know lol.., Symantec has improved its not a drag as much and i like its firewall) manage most of these from one console free alternatives are just as strong just as good but don't over do it remember security is essential but only to give u a pleasant experience not to give a stuck and drag experience.

Most of the security essentials are enabled by default in your operating system to prevent infections just download the rest or update/upgrade them to better..

Bottom line! (quite literally lol..)
Follow these to prevent infections i dont want any executables downloaded into my temp folder and run no matter who what, how they browse! do you ???

K9 Web Protection - Free Internet Filtering and Parental Controls Software

2010-04-04T11:23:00.002+05:30

I came across K9 Web Protection from Blue Coat Systems in one of my researches and was very impressed by its simplicity, its has a strong online community that not only reports hacks and methods that bypass the filter but also helps update its filters and categories. you can easily configure to block the selected categories or simply monitor the system. I love the feature where you can set the search engines to result safe searches only!

Its Clean has a neat administration interface via browser (http://127.0.0.1:2372) and easy to configure filters, Best of its Free has both Windows and Mac versions !!!

I tested the system and its simplicity gave it away lol.., it not that difficult to bypass if you understand how it works ;) To be fair its wasn’t a flaw in the software that let me do this but the operating systems transparency. Anyways set it up with a limited account and should work great!

Great software for parents to keep their children safe!

Must Have Security Solutions (for free)

2008-02-27T18:51:00.004+05:30

The Question ! New PC How to Secure ? Here’s the Answer some must have security solutions that don't have any performance drag and memory use even when all of them are running at the same time oh and did i mention they are all free. Remember Security for PC is to give you good computing experience, being paranoid and installing many security solutions just causes system drag doesn't help!

Avira Antivir
Top Rated AntiVirus, over 30 million users, Free for Personal Use.
http://www.free-av.com/

Threat Fire
Fills in the gap where conventional AntiVirus fails! Ideal protection against 0-day attacks
http://www.threatfire.com/

Windows Defender
Kool Antispyware from Microsoft Free (Preinstalled in Vista)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

SpyBot S&D Resident or WinPatrol (AntiSpyware)
Both do little or more the same thing has good features a must have!
http://www.safer-networking.org/en/index.html
http://www.winpatrol.com/

Sunbelt Personal Firewall (Previously known as Kerio Personal Firewall)
Just like Windows Firewall this too doesn't slow your connection or speed but gives more features and options.
http://www.sunbelt-software.com/Home-Home-Office/Sunbelt-Personal-Firewall/

Comodo Memory Firewall
Buffer Overflow Protection for all the programs running on your Memory.
http://www.memoryfirewall.comodo.com/

Sandboxie (Run in a Sandbox) or BufferZone Free Protection (Run in a Virtualized Environment)
Run Isolated to System, Restrict Access to System Processes and Environment or Run in a virtual Environment good where Sandboxing fails if the application requires System Services or if you think the sandbox is slowing the operations.
http://www.sandboxie.com/
http://www.trustware.com/virtualization/free.html

Happy & Safe Computing..

Goolag Scanner Released!

2008-02-21T17:13:00.000+05:30

Is this Good or Bad ??? much to debate and surprise, think this would be a good thing. Yep! good thing for everyone who own's a website that's pretty much everyone i know, lol.. "how can this be a good thing ?" use this tool to audit your websites and fix stuff before that information is used to bring the site down.

Released by CULT OF THE DEAD COW (cDc), one of the world's largest hacker group, Goolag Scanner is a web auditing tool. Goolag Scanner enables everyone to audit his or her own website via Google. The scanner technology is based on "Google hacking," a form of vulnerability research developed by Johnny I Hack Stuff. You will be surprised what all could be found about a website via google.

Google Hacking Database [ http://johnny.ihackstuff.com/ghdb.php ]

Goolag Scanner [ http://www.goolag.org/download.html ]

This database has long helped Admin's to better secure their websites. similar books from publishers resulted in best sellers, hoping this scanner would run on similar tracks helping even the end user with little knowledge to better manage their websites.

Review: First off an interesting installation voice supported, I scanned a few of my Websites and found no problems, Yappy!! (All those installations and customizations and tweaks did help lol..) The scanner scans for over a 1400 issues including starting from vulnerabilities, installations to error message listings, be warned if you select to run all the tests at once the extensive use of google can result google detecting your activity as that of a bot, not much of a problem you just need to prove Google that you are not a bot enter a few letters from a pic to unblock and continue but at the end of all this you rest assured that your website is safe from almost 1400+ hacks methods and vulnerabilities. or you know what to fix atleast. funny i expected this tool to have an update feature still in beta may be in future versions.

Change DNS ? for a Safer, Faster Online Experience

2008-02-20T20:51:00.001+05:30

OpenDNS is the world's largest, Free DNS service provider. Millions use it to handle their DNS and Web-content filtering needs. And how Complex is this ? its dead easy! just change your DNS and you are done. Yes its that easy. Configure it to your PC, Router or use it with your existing DNS Servers. It also keeps you safe from all those Phishing Sites too.. Using Phishtank (www.phishtank.com), a free online community where one can submit, verify, track and share phishing data, Want more, you can also filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains (content filtering), And its faster than your ISP's DNS servers too.. Great for Schools, Organizations, etc., or for Personal use.. Check out there HUGE list of Subscribers and testimonials..

Faster! Safer! What are you waiting for ? (https://www.opendns.com/start)

208.67.222.222
208.67.220.220

Iconix eMail ID!

2006-07-30T22:41:00.004+05:30

Just came across quite a useful tool...

ICONIX: Tired of trying to figure out which email messages might be phishing or fraudulent spam? Iconix eMail ID lets you see what's real before you even open the message. Iconix eMail ID works with your email program and double checks the source of a message to make sure it's not a spoof. It then uses a simple visual indicator in your inbox - a gold lock with a checkmark to show that a message is real. E-mail from over 300 major senders is currently identified--companies such as eBay, PayPal, Citibank, Amazon.com, Expedia, MySpace, and the New York Times represent the top online sites for retail, travel, auctions, banking, e-cards, news/entertainment, and dating. Version 3.15.16 added support for Mozilla Firefox and Internet Explorer 7.0 beta 2.

http://www.download.com/Iconix-eMail-ID/3000-2382_4-10554745.html

"Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination." -- Albert Einstein

SQL Injection Scanner

2006-06-10T10:34:00.000+05:30

Finally found a sql injection scanner that would help u secure ur sql better by listing out its vulnerabilities. you can download a free trail or request a free security audit. the service scans for SQL Injections, Cross Site Scripting and other Web Vulnerabilities [ SQL Injection is a hacking technique which modifies SQL commands in order to gain access to data in the database. Cross site scripting attacks allow a hacker to execute a malicious script on your visitor´s browser.] other vulnerabilities it scans for:

CRLF injection attacks
Code execution attacks
Directory traversal attacks
File inclusion attacks
Authentication attacks
& More…

Resources:

Read whitepapers & articles about Web application security

SQL injection : SQL injection is a hacking technique which attempts to pass SQL commands through a web application for execution by a backend database.
Cross site scripting : Cross Site Scripting (also known as XSS or CSS) generally occurs when a dynamic web page gathers malicious data from a user and displays the input on the page without it being properly validated.
CRLF Injection : A CRLF Injection occurs when a hacker manages to inject CRLF Commands into the system.
Directory traversal : Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.
Authentication hacking : Authentication hacking is a term used when the attacker breaks into the system by proving to the application that he is a known and valid user, the attacker gains access to whatever privileges the administrator assigned that user.
Google hacking : Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data by using search engines.

A Must Audit for all Web Apps!
www.acunetix.com/sql-injection/

Symantec confirms vulnerability in antivirus software

2006-05-27T16:05:00.000+05:30

Symantec confirmed Friday afternoon a vulnerability in its Antivirus Corporate Edition software that had been discovered by security firm eEye. According to the company, a successful exploit of the flaw could "potentially cause a system crash, or allow a remote or local attacker to execute arbitrary code with System level rights on the affected system."

At this time, Symantec has only issued IDS signatures that will be able to detect attempts to exploit the vulnerability. Network Security Appliance 7100 signatures (SU 46), Gateway Security 3.0 signatures (SU 19) and Client Security 2.0 and 3.0 signatures (SU 22) have been made available via the software's live update feature.

The company recommends that customers adjust their software policies as long as the flaw is exposed to a potential exploit. Specifically, the firm said that companies should restrict access to administration or management systems to privileged users only, keep all operating systems and applications updated with the latest vendor patches and "run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats."

Symantec also said that users should "be cautious visiting unknown or untrusted websites or following unknown URL links" and should not "open attachments or executables from unknown sources."

Symantec Anti Virus Software Flawed !!!

2006-05-27T04:33:00.000+05:30

A flaw has been detected in Symantec's leading anti-virus software AGAIN!, by researchers from eEye Digital Security.

The anti-virus software, Symantec 10.x, which protects some of the world's largest corporations and US government agencies, suffers from a flaw that lets hackers seize control of computers to steal sensitive data, delete files, or implant malicious programs.

Symantec is investigating the issue, but could not immediately confirm the vulnerability. However, if confirmed, the threat to computer users would be severe because the security software is widely used, and because no action is required on the part of victims to bring on the attack.

Symantec says it has these anti-virus products installed on more than 200 million computers. Meanwhile, a spokesman for the company said that it is examining the reported flaw, but described the flaw as so new that the company does not have any details on the same.

Researchers at eEye Digital Security have said that the vulnerability is capable of being exploited by remote hackers to take complete control of the target machine, "without any user action". eEye Digital has published a note about the discovery on its Web site, but has pledged not to reveal details until after Symantec repairs the flaw, as this would help hackers attack Internet users. eEye Digital has posted a brief advisory to raise alarm about the bug, which can allow execution of malicious code with system-level access. The flaw carries a "high risk" rating because of its potential for serious damage.

Meanwhile, the flaw happens to come at a very awkward time for Symantec. John Thompson, chief executive, Symantec just recently campaigned to convince consumers to trust Symantec and not Microsoft for protecting their personal information, he he he lol…

Security in the CLR World Inside SQL Server

2006-05-26T07:25:00.000+05:30

Is running ।NET Framework code within SQL Server 2005 exciting or a threat? Which is it? This article explores the security issues of SQLCLR code so that both developers and DBAs can make informed decisions about its use.

One of the major benefits of writing .NET code to run in the Common Language Runtime (CLR) hosted in any environment is code access security (CAS).

CAS provides a code-based rather than user-based authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005's own, newly enhanced security features? By default your .NET code is reasonably secure, but it's all too easy for the two security schemes to butt heads and cause you grief. In this article I'll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.

The good news is that Microsoft did a great job bringing together the security systems of SQL Server and the Common Language Runtime, with tools to control code. But there are some interesting features—both to watch for and to take advantage of!

Don Kiely gives a complete detail about and how to secure ur SQL Server, chk it out।

Page 1: Introduction
Page 2: Securely Hosting SQLCLR Code

Page 3: SQL Server-Level Security
Page 4: SQLCLR Permission Set Levels
Page 5: Accessing External Resources
Page 6: It's Secure Enough

New Yahoo IM Worm Poses as 'Safety' Browser

2006-05-23T09:30:00.000+05:30

Security researchers have identified a new worm spreading across Yahoo's instant messaging network that has been cloaked under the guise of a "safety" browser in an attempt to dupe users.
The worm (named yhoo32.explr) installs a piece of software called 'Safety Browser' and then hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs.

Because Safety Browser uses the IE icon to identify itself, users can easily mistake it for the legitimate Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission, according to security firm FaceTime.

The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by sending a website link that loads a command file onto the user's PC and installs Safety Browser.

"This is one of oddest and more insidious pieces of malware we have encountered in years," said Tyler Wells, senior director of research at FaceTime Security Labs.

"This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser,' have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."

Iskorpitx Strikes Again

2006-05-19T06:43:00.000+05:30

Type the word "Iskorpitx" into Google, and see what you get. Exactly the same word spit back at you, except from any number of different sites. That's because Iskorpitx is the handle of a hacker who recently committed the biggest hacking incident in web-hosting history. Those search results are the graffiti he left.

Thought to be a 45-year-old Turkish man, Iskorpitx successfully hacked at least 21,549 sites at once (a tally is still being made-expect the final count to be much higher), defacing pages on all of them. His signature included a Turkish flag, his handle and country of origin, and several repetitions of the "f***" next to the names of France, Greece, and Armanian [sic].

As one might imagine, this has upset quite a few people. A brief glance at the list of sites Iskorpitx affected shows the domains .org, .net, and .com, indicating a probable lack of aim or distinction on his part.

Iskorpitx has quite a reputation for this sort of thing. Since 2003, he's hacked an estimated 117,000 websites, not even including this latest round, and some of those were the sites of his own country's government.

The Turkish hacker seems to have ignited some sort of passion for the activity in his country. In recent months, more than 50 percent of notified defacements appear to have originated from Turkey. Brazil was formerly the most prominent home of these sorts of hackers.

It remains unknown whether the most recent attacks where made at the root or webserver level. Iskorpitx executes his hacks by creating subpages, regardless of what authorization level he achieves on the servers.

Iskorpitx's motivations are unclear. Although many of the Turkish hackers have religious agendas, he does not seem to share them. Whatever his reasons or inspiration, Iskorpitx is acting as a massive nuisance throughout the Web.

Via Doug Caverly.

Alert! Spoofed Symantec Email Disables Anti-virus Updates

2006-04-20T20:33:00.000+05:30

Symantec has been spoofed in the form of a high risk malicious email which looks like a Symantec Virus advisory, but actually disables anti-virus updates.

The email contained a "From" address that said it was from Symantec's Norton Anti-Virus division. The message said that the user's computer was infected with a virus called w32.aplore@mm. The user was then directed to a link that was supposed to dispose of the infection, but instead downloaded an executable file that disabled updates.

The malicious file was located on a free hosting service but the Web site mirrored a Symantec update site. The spoof was discovered by security company SurfControl.

Demand For Secure Web Environments For Kids Rises !!!

2006-04-18T11:30:00.000+05:30

With all of the recent MySpace controversy about children using it and attracting predators and whatnot, there is a growing demand from parents to have a more secure web environment for their kids.

Another driving factor for the demand is the fact that kids can write things that they may regret years later when their words are still on the web.

At least 2 companies have recognized this demand and are working to fill it. One is called Industrious Kid, and will be a "self-contained" site for kids to interact with each other. To sign up, parents will have to use their credit cards even to access free areas of the site.

The second company is called netTrekker, and it aims to protect kids from inappropriate content when searching online. Its search engine has been around since 1999 and has been primarily used in schools as its results have been approved by a large group of educatrors. Now it is available for home use as well.

With both netTrekker and Industrious Kid, it is up to the parents to sign up for the services. Provided that they work as they're supposed to, some concerns may be alleviated.

via Chris.

IE Cumulative Security Update Issued !

2006-04-12T13:09:00.000+05:30

Microsoft issued a cumulative security update for Internet Explorer, replacing several earlier security updates. Rated: Critical

The update replaces a February 28th cumulative update affecting Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Windows XP Professional x64 Edition, Windows Server 2003 x64 Edition family, and Windows Server 2003 with Service Pack 1 for Itanium-based Systems.

Along with the update, Microsoft released a compatibility patch for Enterprise users who require more time to prepare for the Active X update. The compatibility patch will function until a subsequent Internet Explorer update is available in June. The changes made to Internet Explorer in relation to Active X will become permanent after the June update. A complete list of affected software and software components are available at the Microsoft bulletin page. Updates can be downloaded there as well.

Go directly to download page…

IE Address Bar Spoof Discovered!

2006-04-11T23:10:00.000+05:30

An address bar spoof can be conducted by a malicious phisher taking advantage of a race condition in Internet Explorer.

The Secunia security advisory website advised IE users of a moderately critical vulnerability in the browser. Secunia created a test that can show if the user's browser is vulnerable.

IE 6 on fully patched Windows XP SP1/SP2 machines, and the IE 7 Beta 2 preview (March edition) demonstrate this vulnerability. In my testing, the vulnerability was present on IE 6, but not in Firefox 1.5 or Opera 9 TP2.

Like a previously reported critical issue about IE, Secunia noted that users can disable Active Scripting in the browser until Microsoft releases a patch. Secunia provided more details and a link to the test demonstrating the vulnerability:

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

- Display of a spoof vulnerable IE -

- Display of a spoof proof IE -

This is how your browser should look like! Check your browser!

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: Click Here to Test your Browser!

Verify:

If u have doubts on a certain page u are browsing thru and wish to verify if its legitimate or not here’s somethin u can do ! just copy the code below and place it on the address bar u are viewing the page of doubt hit enter that will display the original page location!

<copy>
javascript:alert("The Real URL address: " + location.protocol + "//" + location.hostname + "/");
</copy>

Fix / Solution :

if u want a tool that can alert you wen there is a spoof like this then use the following toolbars they come in different flavors for different browsers :)

http://toolbar.netcraft.com/
http://toolbar.trustwatch.com/
http://www.corestreet.com/spoofstick/index.html
http://pages.ebay.com/toolbar/accountguard_1.html
http://addins.msn.com/addins_category_toolbar.aspx

Microsoft Says Recovery from Malware Becoming Impossible !

2006-04-05T02:28:00.000+05:30

In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference. Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

He cited a recent instance where an unnamed branch of the U.S. government struggled with malware infestations on more than 2,000 client machines. "In that case, it was so severe that trying to recover was meaningless. They did not have an automated process to wipe and rebuild the systems, so it became a burden. They had to design a process real fast," Danseglio added.

Danseglio, who delivered two separate presentations at the conference—one on threats and countermeasures to defend against malware infestations in Windows, and the other on the frightening world on Windows rootkits—said anti-virus software is getting better at detecting and removing the latest threats, but for some sophisticated forms of malware, he conceded that the cleanup process is "just way too hard."

Microsoft says stealth rootkits are bombarding Windows XP SP2 machines. Click here to read more.

"We've seen the self-healing malware that actually detects that you're trying to get rid of it. You remove it, and the next time you look in that directory, it's sitting there. It can simply reinstall itself," he said.

"Detection is difficult, and remediation is often impossible," Danseglio declared. "If it doesn't crash your system or cause your system to freeze, how do you know it's there? The answer is you just don't know. Lots of times, you never see the infection occur in real time, and you don't see the malware lingering or running in the background."

He recommended using PepiMK Software's SpyBot Search & Destroy, Mark Russinovich's RootkitRevealer and Microsoft's own Windows Defender, all free utilities that help with malware detection and cleanup, and urged CIOs to take a defense-in-depth approach to preventing infestations.

Are virtual machine rootkits the next big threat? Click here to read more.

Danseglio said malicious hackers are conducting targeted attacks that are "stealthy and effective" and warned that the for-profit motive is much more serious than even the destructive network worms of the past. "In 2006, the attackers want to pay the rent. They don't want to write a worm that destroys your hardware. They want to assimilate your computers and use them to make money.

"At Microsoft, we are fielding 2,000 attacks per hour. We are a constant target, and you have to assume your Internet-facing service is also a big target," Danseglio said.

Trojan Holds Data for Ransom

2006-03-23T05:47:00.000+05:30

If you're the unlucky victim of a new Trojan making the rounds, it'll cost you $300 to get your data back from the Trojan's author.

As of press time the Trojan did not yet have a common CME identifier. It is currently known as cryzip by LURHQ, Symantec, McAfee and Trend Micro. Kaspersky calls it Zippo and Panda Labs calls it ZippoCryptor.

Once infected, the Trojan encrypts a user's data in a password-protected zip file. In addition to the inaccessible files, the victim is left with a ransom note in a file titled "AUTO_ZIP_REPORT.txt."

The file starts with the words, "INSTRUCTIONS HOW TO GET YUOR FILES BACK READ CAREFULLY." According to LURHQ, the typo-rife ransom note continues: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enough password."

The note warns users not to attempt to crack the password on the compressed zip files. The only way to get the data back, it says, is by sending the "ransom" to an E-Gold account, apparently operated by the Trojan's author.

According to security firm LURHQ, a random E-Gold account number is automatically inserted at the top of the ransom note from an embedded list.

"By operating many accounts simultaneously, the Trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others," LURHQ's advisory states.

So far, the Trojan does not appear to be widespread. McAfee, Panda Labs and Symantec have given it a low-risk assessment and all have issued updates to its malware definition files to identify the Trojan.

It could always be worse.

Though the cryzip Trojan may make a victim cry, at least it doesn't berate victims like last year's Cisum.A virus did.

Microsoft Application Threat Modeling!

2006-03-13T14:20:00.000+05:30

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Download Microsoft Threat Analysis & Modeling v2.0 BETA2

Download A video introducing the Microsoft Application Threat Modeling process and The Microsoft Threat Analysis & Modeling v2 tool.

10 Immutable Laws of Security

2006-02-23T19:37:00.000+05:30

If an attacker can persuade you to run his program on your computer, it is not your computer anymore
If an attacker can alter the operating system on your computer, it is not your computer anymore
If an attacker has unrestricted physical access to your computer, it is not your computer anymore
If you allow an attacker to upload programs to your Web site, it is not your Web site any more
Weak passwords prevail over strong security
A computer is only as secure as the administrator is trustworthy
Encrypted data is only as secure as the decryption key
Out-of-date antivirus software is only marginally better than no antivirus software at all
Absolute anonymity is not practical in real life nor on the Web
Technology is not a panacea

Source : Clinic 2801 // microsoftelearning.com

Attack code out for latest Microsoft flaw

2006-02-17T05:43:00.000+05:30

Actually the heading should be Attack code out late for Microsoft flaw Why ? microsoft patched that flaw 2 days earlier cheers!

Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system. The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

Windows Defender Out!

2006-02-14T16:16:00.000+05:30

wondering what is it ??? Its the transformation of microsoft antispyware (GAINT) to Beta2! so what are u waiting for ? install now! [25 million subscribers!] Microsoft will continue beta1 support till june’06

Here is a comparision chart of windows defender to other microsoft security software.

The New Face of Phishing !!!

2006-02-14T05:23:00.000+05:30

Phishing is a difficult enough form of fraud to avoid for most computer users, but when some of the biggest names in the financial industry fail to do their part to detect and eliminate these online scams, consumers often are placed in an untenable situation.

Case in point: A source recently forwarded a link to one of the "best" phishing attacks I've ever seen. This one -- targeting the tiny Mountain America credit union in Salt Lake City, Utah -- arrives in an HTML-based e-mail telling recipients that their Mountain America credit union card was automatically enrolled in the Verified by Visa program, a legitimate security program offered by Visa that is supposed to provide "reassurance that only you can use your Visa card online."

The fake MountainAmerica.net Web site

The e-mail includes the first five digits of the "enrolled card," but those five digits are found on all Mountain America bank cards, so that portion of the scam is likely to be highly convincing for some recipients. The message directs readers to click on a link and activate their new Verified by Visa membership.

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.

The SSL Certificate issued to Mountain-America.net

Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf. In this case, however, it looks like that process fundamentally broke down. Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1.

The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

Choicepoint is a data aggregator that bills itself as "the nation's leading provider of identification and credential verification services." When Geotrust issues a certificate, Choicepoint provides a unique identifier -- an alphanumeric identifier that is supposed to be linked to a "corporate profile" that people can use to learn more about the recipient of that certificate. However, the profile page on this particular phishing site didn't have any more information than was already included in the rest of the certificate, including the company's name, city and state of incorporation, and the company's Web site (in this case, the profile refers to the phishing site's address.) It's unclear to me how the unique identifier adds anything that is of use to the person trying to verify the legitimacy of a Web site.

ChoicePoint's "Unique Global Business Record" for Mountain-America.net

I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

The error page generated by Visa.com

Back to the Verified by Visa program. Users who get the phishing e-mail described above -- or any genuine communications prompting them to visit the Visa site -- might think they're being sent to another fraudulent Web site. First off, the Visa site asks users to enter their credit card number. Then there's the fact that when I clicked on any of the links on the Verified by Visa site, I received "Page not found" errors.

The site has finally been shutdown!, thanks to the hard work of the folks at the SANS Internet Storm Center, who first spotted this scam.

Also, I heard back from Geotrust. Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process.

Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious.

"I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said.

Source: Brain Krebs

NEWS: Critical Bugs Sting Lotus Notes

2006-02-12T03:29:00.000+05:30

Some of the six holes can allow attackers to hijack corporate systems even if users only view incoming e-mail.

Six critical vulnerabilities have been found in IBM's Lotus Notes, Big Blue and security firms announced Friday, including some that could allow attackers to hijack corporate systems if users simply viewed incoming e-mail.

Danish vulnerability tracker Secunia, which discovered the half-dozen bugs, tagged them as "Highly critical," its second-from-the-top alert rating, and said that some of the flaws would create buffer overflows, normally the only entry hackers need to start dropping their own code onto a compromised computer.

Some of the vulnerabilities, said Secunia, can be exploited if users only view malicious e-mails, while others require users to open attachments or extract files from a zipped file attached to a message. Several versions of Notes are at risk, including 7.0 and 6.5.4. Upgrading Notes to 6.5.5 or 7.0.1 solves the problem, said IBM.

"In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments," IBM also recommended in its advisory. IBM offered up work-arounds for customers unable to patch immediately, but they required users or administrators to disable a number of DLLs.

The last bugs to hit Notes were a handful in early January, when IBM itself acknowledged that the e-mail system and its client were open to denial-of-service (DoS) attacks.

Security In Visual Studio

2006-02-10T15:03:00.000+05:30

Security considerations should be included in all aspects of your application development, from design to deployment.

To help you effectively develop secure applications, you should have a fundamental understanding of security concepts and the security features of the platforms for which you develop. You should also have an understanding of secure coding techniques.

Understanding Security

Security in the .NET Framework: Describes .NET Framework code access security, role-based security, security policy, and security tools.

Defend Your Code with Top Ten Security Tips Every Developer Must Know (Click here): Describes the really important issues you should watch out for so that you don't compromise your data or your system.

Coding for Security

Most coding errors that result in security vulnerabilities occur because developers make invalid assumptions when working with user input or because they do not fully understand the platform for which they are developing.

Security Policy Best Practices: Describes the .NET Framework security system recommended best practices you may need to consider in your code.

Secure Coding Guidelines: Provides guidelines for classifying your components to address security issues.

Security Best Practices for C++: Discusses buffer overruns and the complete picture of the Microsoft Visual C++ security checks feature provided by the /GS compile-time flag.

Windows OneCare Pricing...

2006-02-08T03:02:00.000+05:30

Prices are out for windows one care and the offers are kooler than expected. Microsoft Windows OneCare Live will be available in June from retailers and via the Web for an annual subscription of $49.95 for up to three personal computers. To thank its valuable beta customers (like me ;) ) and offer an easy transition to the paid service, Microsoft also announced a promotional deal offering the first year of Windows OneCare Live service for $19.95 to beta customers who become subscribers between April 1 and April 30, 2006.

OneCare is now available free to all new beta testers, at http://ideas.live.com, its a must try!!!

PRODUCT DISCONTINUED!
Windows Live OneCare is no longer available for sale!
Looking for a Microsoft Solution to try goto:
Microsoft Security Essentials a FREE anti-malware solution.

Secure Coding Guidelines

2006-02-07T15:01:00.000+05:30

Evidence-based security policy and code access security provide very powerful, explicit mechanisms to implement security. Most application code can simply use the infrastructure implemented by the .NET Framework. In some cases, additional application-specific security is required, built either by extending the security system or by using new ad hoc methods.

Using the .NET Framework-enforced permissions, and other enforcement in your code, you should erect barriers to prevent malicious code from obtaining information that you do not want it to have or performing other undesirable actions. Additionally, you must strike a balance between security and usability in all the expected scenarios using trusted code.

Goto Page.

Windows OneCare Review

2006-02-06T15:26:00.000+05:30

I have been testing / playing / using OneCare for few months now, so decided to jot down a small review! hope this helps u decide what's best! Windows OneCare (still a beta) is works great and has tons of features and with many features being added on. This one is aims high for the record! Integrated Antivirus, Firewall, Defragger, Backup solutions and many more to come the best thing of all is the service is not a resource hungry u wont even notice any or much of difference at all. i tested it along with other antivirus tools and guess what very few interfere with its functioning others are probably happy to find OneCare around. what i mean is u can have Antivir / avg / avast / ez Antivirus ( parallel / along ) with OneCare and no problems they would work in harmony and still u will not notice a load on ur system, And for those who are wondering if its antivirus is good enough? think again OneCare can pretty much detect all the viruses around and protect ur system. best feature is its security level indicator and security advisories and updates. it will update missing security updates to make ur system strong! Pops up security advisories too, so as u can take necessary precautions and guess what will be the price of it once its public ? no its not that costly like Norton or MCAfee AV's in-fact its going to be the cheapest! news has it that its going to be around 50$ very affordable and guess what if u have been beta testing it u would get 60% discount too :) One more thing u will be buying OneCare as product licence not as a version product i.e., once u buy its gonna update itself add new modules add virus definitions tools all no charge as its an yearly license now that's a double thumbs-up! else like other antivirus software's u would need to pay more every-time a new version is released and the companies slowly stop service to old versions sorry no tactics here with OneCare this shows Microsoft really put out this product keeping user in mind not the money! I would really love OneCare to be free like Microsoft Antispyware but with a product like this its going to be a worthy investment to keep ur system fit and fine.

What should OneCare have: It would be kool if OneCare cud integrate Microsoft Antispyware to show in one interface easier to user but who knows by the time OneCare is out in market it mite have everything integrated to one. a registry cleaner to add in OneCare tools would be great Add-In! a safe viewer like red-wall for outlook attachments safe viewing would be gr8!. Hope to see these features in its release.

PRODUCT DISCONTINUED!
Windows Live OneCare is no longer available for sale!
Looking for a Microsoft Solution to try goto:
Microsoft Security Essentials a FREE anti-malware solution.

Beware! Feb the 3rd virus attack!

2006-02-03T02:04:00.000+05:30

HTTPS Security Improvements in Internet Explorer 7

2006-02-02T01:49:00.000+05:30

HTTPS uses encryption to secure your Internet traffic to protect it from snooping or tampering by others on the network. HTTPS uses either the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocols to protect data.

In order to improve security and add new functionality, changes have been made to the HTTPS implementation in Windows Internet Explorer 7. New protocol defaults in IE7 reduce the likelihood of someone taking advantage of configuration or protocol weaknesses to intercept or modify Web traffic transferred using the HTTPS protocol. New error pages provide a simplified user experience which helps to mitigate social-engineering and phishing attacks.

Read More.

Evolution XP

2006-01-28T13:35:00.000+05:30

I hav started writing for http://www.softwareandtools.com/ on operating systems
optimizations, tweaks, etc it is aimed @ presenting best optimization techniques, tools and tweaks to make ur os run better and faster.

ps: u will hav to bear with tejas as he’s a bit ad-addict.

Have you got spam from yourself?

2006-01-11T19:29:00.000+05:30

Its every domain's owners nightmare forging ur domains for spams and for once there is not much we can do. worms or virii - 101 ways to fix it. but wat abt corrupt’d spammers brains. these idiots (for lack of a worse word to use) are no better and lot worse than virus writers as much as i hate to say virus writers are probably better than spammers. spammers are cheaters, deceivers whose mindset is a lot different that us humans :-) why am i so angry ? well its a beautiful wednesday afternoon and i notice abt 90 mails / hr pouring in to my spambox guess wat? they are all replies to emails spoofed as my from my domain. makes u wonder how many servers cant detect a mail's origin? msn, gmail, yahoo do a gud job throwin these into spambox wat abt 1000 of mail servers out there ? if i had put up a mailserver to this domain ? the replies mails itself wud hav made this site go down - bandwidth! well wat can we do ? we hav to rely on our email systems identify that these mails are spoofs. but not all servers are well equipped to do so. why ? many of private instutites, offices and organisations including the famous one are lazy to just install anythin as there mailserver wen the situation worsen’s well we always got one to blame (spammers).

Every automated reply =>(implies) that the recipent server thinks u are from an original location and not a spam. and thats wat spammers rely on. well u might say " dont expect me to buy an high price enterprise level package! " well as true is that fact so is the fact that there are 100’s of mailserver softwares out there with gud antispam technology.
Admins dont be lazy, use a better mail server with good antispam servers so that i dont fill my spambox. Now, Other issue’s here are person's who's email or domain is used for spam and one who receives them.
no help for ppl who post there email address on open boards for bots to copy now here’s the funny part all the people in the address book of the careless person also gets spam’d if that person uses an email thats not eqiupped with antispm and antivirus.

its not absolute. worst case senerio wat to do ? Now how to get domains safe ?!? thats where OpenSPF comes into play founded by a person who has been bugged by spammers using his domain name to send forged emails. SPF Stands for Senders Policy Framework u can specify ur domain details n specifics and lets u create a spf record for ur domain. SPF fights return-path address forgery and makes it easier to identify spoofs.

Domain owners identify sending mail servers in DNS. SMTP receivers verify the envelope sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.

goto site + How it works

Sony BMG Copy Protection ?!?

2006-01-10T01:11:00.000+05:30

Its all over the news but still many ppl ask me wat the story so i decided to just post in simple words wat is the story so that i can just tell everyone to read my blog ;) frankly everyone shd be knowing this by now for those who dont read this:

sony released its cds with its new copy protection software (xcp). while the cds played normally on cd players if u wanted to play them on your systems u wud hav to install sony media player bundled on the cd. this installation included the copyprotection software therby preventing reading of music content on cd by any other software other than its native player this is done by rewritin few functions of os. in order for it to do this the software behaved like a rootkit ( a well built rootkit ) its function to prevent any access to folders whose name begins with $sys$ the copy protection software hides itself in the same and chks every cd for copy protection before it gives control to the software u are using to access it.

few @ sony thought this was preety ingenious but they made a basic flaw to see if there software acts as doorway to hackers or virus writers ?!? we knw many worms are designed to dump itself in system32 folder using %system32% in path. now this is worse the worm can be designed to create a directory with the $sys$ prefix anywher and ur os will be blind to notice it as it is concealed by sony’s copy protection got the point !

So thats the whole story! wat happend in the end ? sony recalled its cds “millions” Not before the news was out!, Not before millions of os had installed this! (some 50+ albums sold with this copyprotection) so imagine everyone who bought them were venurable! and worse is yet to come: Not before a worm’s release! there was a worm out within a week of this matter in news headlines. Now get this sony was approached by f-secure guys with this threat long long back wat did sony do ? Ignored ! everyone payed the price rest is history!

want to knw if there was any funny side to the story:
then imagine the mountains of cds in sony’s gowdons lol.
so any new office policies :: dont play music cds he he he kiddin…

so any gud guys ?!? yes f-secure of course! instead of announcing to press that wud add another star on f-secure’s collar the company contacted sony with the problem and dint leak fearing a mass systems infection.

ps: i dont think anyone can be more simple :)
cheers.

Firefox 1.5 buffer overflow & Prevention!

2005-12-10T18:25:00.000+05:30

Basically firefox logs all kinda of URL data in it's history.dat file, this little script will set a really large topic and Firefox will then save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will happen everytime until you manually delete the history.dat file -- which most users won't figure out.

This proof of concept will only prevent someone from reopening their browser after being exploited. DoS if you will. however, code execution is possible with some modifcations.

Prevention : Use NoScript a mozilla / firefox extension this will restrict all java scripts unless u authorise so basically u are protected!

Vista Security Feature

2005-08-23T13:02:00.000+05:30

Enhancing security

An important security change within Vista will be a shift away from the Adminstrator as default. Every user will need to create an account, and those needing Administrator access will need to log in separately. Currently, the default user is Administrator, and this has allowed criminal hackers to attempt to take remote control of Windows XP machines.

Writing Secure Code with Visual Studio 2005

2005-08-21T16:33:00.000+05:30

A walkthrough of the enhancements in Visual Studio 2005 that will help make your applications more secure and robust. Learn about the fundamental design principles for building secure applications using various tools and techniques. See how Visual Studio 2005 uses technologies such as FxCop and Code Access Security to help create more secure managed code applications, while PREfast and the /GS switch can help secure your native code applications.

Zotob! the plug n play worm

2005-08-20T00:03:00.000+05:30

Zotob is a worm that targets Windows 2000–based computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.

If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.

Use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive. This tool checks for and removes infections from Zotob.A through Zotob.E as well as Bobax.O, Esbot.A, Rbot.MA, Rbot.MB, and Rbot.MC. It also checks for and removes all versions of malicious software that the tool has been updated to remove.

To Terminate Zotob:

Run the Windows Malicious Software Removal Tool ( IE )
Or Download Malicious Software Removal Tool
And Install Security Update 899588.

Security and Protection in Windows Vista

2005-07-24T23:28:00.000+05:30

• Security Features and Improvements

This paper describes the most significant security improvements in Windows Vista, the benefits they provide, and why the new features matter to IT professionals.

• Scenarios for Enhancing Security

Find out what's new for Security in Windows Vista, and the benefits and impact of the new and changed features. Scenarios are included.

New Security Features

Exchange Server 2003 Security Hardening Guide

2005-07-10T17:56:00.000+05:30

Read the entire Exchange Server 2003 Security Hardening Guide online or download the Exchange Server 2003 Security Hardening Guide . This guide is designed to provide you with essential information about how to harden your Exchange Server 2003 environment. In addition to practical, hands-on configuration recommendations, this guide includes strategies for combating spam, viruses, and other external threats to your Exchange 2003 messaging system. Important: Since the previous version of this guide was released, the following new topics have been added and are available only online:

• Running Exchange Server 2003 Clusters in a Security-Hardened Environment
• How to Run Exchange Server 2003 Clusters in a Security-Hardened Environment

Loading Blowfish-Encrypted Data Into an MSXML2 DOM Object

2005-06-18T11:42:00.000+05:30

When using the MSXML2 library, you typically load XML files from disk into a DOM (Document Object Model) object by creating an instance of IXMLDOMDocument and calling its load function—where you pass a BSTR reprentation of the file name. However, I had a situation recently where—due to security concerns—I needed to first decrypt the XML data in memory and then load that memory (without writing it to disk) into a DOM object. Surprisingly, I wasn't able to find any open source examples of how to do this, so I wrote a couple of helper functions to accomplish this task. Hopefully, these functions will help others who run into a similar situation.

Deploying Authenticode with Cryptographic Hardware for Secure Software Publishing

2005-06-16T23:22:00.000+05:30

The ability of users to trust code that is published on the Internet is a major challenge facing the software industry. Similarly, large organizations deploying line of business applications such as enterprise resource planning (ERP) systems must decide what software to trust. Packaged software has traditionally relied upon branding and trusted sales outlets to assure users of the legitimacy and integrity of the software. This is not available when code is transmitted across the Internet. Building trust requires a reliable mechanism by which users can verify the identity of a code publisher and verify that the code has not been changed since its publication date.

Malicious code in the form of viruses, worms, and Trojans is now a serious threat that impacts every computer user, whether network-connected or not. Recent reports indicate that, in the United States alone, the effect of malicious code costs industry and consumers between $427M and $522M in 2004.

This paper describes the role of Microsoft Authenticode code-signing and time-stamping in establishing user trust in code that is published online. It provides an overview of the Authenticode code-signing and time-stamping process and examines the role of public key cryptography in proving the identity of the code publisher and proving that code has not been tampered with since original publication. The paper looks at the importance of protecting the credentials that underpin Authenticode and the role of cryptographic hardware in securing digital keys and certificates.

admins / spammers / proxies

2005-06-08T00:51:00.000+05:30

Why some server administrators make mistakes with their proxy servers?

It happened because somebody just dropped a proxy server on their network without fully considering the consequences of their action. They didn't bother to properly design a server access control list, and because it is available on the public internet, a spammer found it and began to use it for their spamming ventures.
Quite often a server administrator is very upset at his mistake, and is looking to "pursue each ISP in attempts to track down the guilty parties". Unfortunately, he is ignoring the person who had the most power to prevent this situation. Himself.
Live, learn, realize that you made a mistake configuring your server, and get back to working. Unless your business is that of hunting spammers, it really will not be worth your while to waste money and time chasing ISPs and shadows of spam fiends.

HeroWar !

2005-06-06T22:20:00.000+05:30

My Entrance to Role Play Games...
http://www.herowar.com/recruit.phtml?id=10463

"Security - less about technology, more about processes"

2005-05-22T14:09:00.000+05:30

Building the right processes and inculcating the right people may lessen the need for additional security mechanisms, say Microsoft's executives in an exclusive interview with CIOL.

BANGALORE (21st May): Many would scoff at the idea of the Redmond based software giant, Microsoft, talking seriously about security and trying to advice customers on the strategy that has to be built to ensure better levels of the same. But for Steve Riley, Product Manager, Security Business Unit and Dave Glover, Developer Evangelist, Microsoft-Australia, its all part of the game. In India for the first time to talk about the Unit's products and reach out to enterprises to educate them on security strategy, the duo spoke with Sathya Mithra Ashok on the Unit's functions and how Microsoft aims to change its perception on security among enterprises.

Excerpts.

When was the Security Business Unit formed and what does its functions include

The Unit was formed nearly three years ago. It was formed to address some of the growing security issues within enterprises. Most enterprises, which were having security problems, found it easy to blame the technology alone. But that is not true. Security is less about technology and more about the processes and people built up in the enterprise. In fact, if enterprises concentrate on building the right processes and inculcate the right people, they would find that they might not need all the additional blocking mechanisms that many of them invest in regularly.
This attention to process must stem from basis co-ordination between application development and operations, which will be using the application. Teaching the basics of security to everybody in the organization involved with IT is essential. It's also important to know and trust the people who are involved in IT to a large extent, like your system administrators.
Most security threats for enterprises come from the inside. There is always a human element to security and the person on the inside already knows everything about the organization and therefore has much less to do to harm it. Security is not about he brand, but about systems management. Part of the fault lies with us too, in that we had not taken the initiative to educate enterprises more proactively. The Unit aims to remedy that.
There are around 1000 people in the Unit alone and if you count in the extended people connected to the Unit it would be around 6000. Formerly, whatever number of products Microsoft had, that was the number of ways of update implementation that there was. But now everything has to go through the Unit and if the Unit finds that it lacks in security, it goes back to development, even if there will be a delay in release. That is also part of the Unit's functions.

Was the growing popularity of open source operating systems part of the reason for the formation of the Unit and the propagation of security as a process for Microsoft?

We are a competitive company. And there are a lot of things we take into consideration. This would include IBM's initiatives, Novell's work or open source as a whole. Therefore, open source, along with IBM and Novell and other competitive initiatives would have been a consideration in the formation of the Unit.

Are Indian enterprises'outlook towards security the same as the world over?

We've been meeting CIOs and enterprise IT representatives for over four days now in India. We find that everyone acknowledges the importance of security but many of them don't understand how to go about it. Also, many enterprises lack in properly skilled people to handle their security. This is purely anecdotal but many of them we spoke to opined that most trained people opted to work for the outsourced software service providers rather than enterprises. And that situation is pretty unique to India because there are not very many places where outsourcing is as big an activity as here.

How much is revenue generation a part of the Unit?

We are a for-profit company and its naïve to ignore revenue-generating potentials of technology. Products associated with the Unit generate most of the revenue and it comprises a really small part of the overall revenues. Our products include the Internet Security and Acceleration Server, Windows Rights Management Services and other products or patches bundled with Windows and other MS products. But the fact is that revenues are not as important as the idea of spreading the message of security as processes and people oriented more than technology.

Microsoft has a huge perception issue to battle in the area of security – the perception that its software is open to more attacks than any other. How do you combat that perception?

We talk to enterprises. We try to bring to light the fact that every software has its vulnerabilities that can be exploited. We also point out to them that with each upgrade of its various software offerings Microsoft has steadily reduced the number of vulnerabilities in it. We demonstrate that it is safe to keep even security within the Microsoft umbrella.

We also educate them on the fact that the software or technology cannot be blamed all the time. That with proper processes and people in place, the company would not need to have blocks in place to prevent exploitation of vulnerabilities because the processes will ensure that there can be no exploitation.

All of it boils down to customer satisfaction. If they are not satisfied, they would look elsewhere. It's an uphill battle for Microsoft, but as long as we can pass the message of security I think we have achieved quite a bit.

Tech Notes

THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE

2005-05-22T14:06:00.000+05:30

By Peter Szor
Published by Addison-Wesley Professional
ISBN: 0321304543 Buy Now!
Published:February, 2005
Pages:744

About the author

Peter Szor graduated from the University of Veszprem Hungary in 1991. He is best known as the author of the popular Hungarian virus scanner called Pasteur, which he developed between 1990 and 1995. Szor.s interest in computer viruses began in 1990. He worked on various anti-virus scanning engines over the last decade including F-PROT, AVP, and Norton AntiVirus. Szor was invited to join CARO (Computer Anti-virus Researchers' Organization) in 1997. He is a frequent speaker at Virus Bulletin, EICAR, and ICSA conferences, and a regular contributor to Virus Bulletin magazine.

In 1999 Szor joined Symantec, where he designs and develops anti-virus technologies for the Norton Anti-virus product line. He is the author of several U.S. patents that are pending.

Free Chapter:
9.1 Introduction

This chapter discusses the generic (or at least "typical") structure of advanced computer worms and the common strategies that computer worms use to invade new target systems. Computer worms primarily replicate on networks, but they represent a subclass of computer viruses. Interestingly enough, even in security research communities, many people imply that computer worms are dramatically different from computer viruses. In fact, even within CARO (Computer Antivirus Researchers Organization), researchers do not share a common view about what exactly can be classified as a "worm." We wish to share a common view, but well, at least a few of us agree that all computer worms are ultimately viruses¹. Let me explain.

The network-oriented infection strategy is indeed a primary difference between viruses and computer worms. Moreover, worms usually do not need to infect files but propagate as standalone programs. Additionally, several worms can take control of remote systems without any help from the users, usually exploiting a vulnerability or set of vulnerabilities. These usual characteristics of computer worms, however, do not always hold. Table 9.1 shows several well-known threats.

Table 9.1 Well-Known Computer Worms and Their Infection Methods

Name / Discovered	Type	Infection	Execution Method
WM/ShareFun February 1997	Microsoft Mail dependent mailer	Word 6 and 7 documents	By user
Win/RedTeam January 1998	Injects outgoing mail to Eudora mailboxes	Infects Windows NE files	By user
W32/Ska@m (Happy99 worm) January 1999	32-bit Windows mailer worm	Infects WSOCK32.DLL (by inserting a little hook function)	By user
W97M/Melissa@mm March 1999	Word 97 mass-mailer worm	Infects other Word 97 documents	By user
VBS/LoveLetter@mm² May 2000	Visual Basic Script mass-mailer worm	Overwrites other VBS files with itself	By user
W32/Nimda@mm September 2001	32-bit Windows mass-mailer worm	Infects 32-bit PE files	Exploits vulnerabilities to execute itself on target

Table 9.1 suggests that infection of file objects is a fairly common technique among early, successful computer worms. According to one of the worm definitions, a worm must be self-contained and spread whole, not depending on attaching itself to a host file. However, this definition does not mean that worms cannot act as file infector viruses in addition to network-based propagators.

Of course, many other worms, such as Morris³, Slapper⁴, CodeRed, Ramen, Cheese⁵, Sadmind⁶, and Blaster, do not have file infection strategies but simply infect new nodes over the network. Thus defense methods against worms must focus on the protection of the network and the network-connected node.

1 2 3 4 5 6 7 8 9 Next page >>

" Worm: n., A self-replicating program able to propagate itself across network, typically having a detrimental effect."

—Concise Oxford English Dictionary, Revised Tenth Edition.

How to enable SSL on Windows XP SP2

2005-05-20T05:46:00.000+05:30

These tips comes from Sahil Malik and it's too much interesting for not bookmarked it:

XP SP2 has SSL disabled, and if you want to enable it, these are the steps:

Enable to HTTP SSL Service.
Download IIS resource kit for IIS 6.0 (Even though XP has IIS 5.1)
Run SelfSSL.Exe /N:CN=Sahil /V:30 /S:1

Now your SSL is enabled!

For more accuracy, remember that the above are instructions to enable an SSL website, and install a development environment certificate, on Windows XP SP2.

via: Stefano

Microsoft Security Week (MSDN)

2005-05-11T09:11:00.000+05:30

>> Session 1: Building Secure Applications

This session will cover building standards based secure "Service Orientated Architecture" solutions and we'll look at the tools and the technologies to help make this a reality.

>> Session 2: Microsoft IT Application Software Assurance Program (ASAP)

The Microsoft Information Technology organization (Microsoft IT) developed the Application Software Assurance Program (ASAP) to inventory, assess, and—when necessary—help resolve potential security and privacy vulnerabilities found in line-of-business applications. The program defines the standards and best practices for providing security and confidentiality for all applications currently in production, and for those under development.

Venue: Viceroy, Hyderabad May 13th 9:00 AM!

Click here for other cities in India.

& This is why I use Anti-virus and Firewalls

2005-04-29T21:32:00.000+05:30

Jacques' Hack Attack

We're always telling you how important anti-virus and firewall software is for securing your home PC - the Internet is a dangerous place for unprotected PCs. Spencer Kelly met up with a reformed ex-hacker, who gave him a demonstration of just how much damage a worm or virus can do to your home computer.

See Spencer's Report : (Windows Media) Low | Medium | High / (Real Player) Low | Medium | High

Check out the video clip from BBC World, showing an ex-hacker at work. Seems way too easy altogether. 8 seconds and u are a goner !!!

Bottom line if u love ur pc u wud hav Antivirus and Firewall installed!

Free AntiSpyware's n Firewall's

2005-04-29T21:17:00.000+05:30

Here’s a list of some of the best antispyware’s and firewall’s that too freeware !!!, get secure without spending green!

AntiSpyware’s:

Microsoft Windows AntiSpyware
Microsoft Windows AntiSpyware is a new product from Microsoft, that is based on the former Giant AntiSpyware product. It detects and removes adware and spyware from your computer, and also features a ...
Freeware More info & Download

KL-Detector
KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard ...
Freeware More info & Download

X-Cleaner Free
XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Ad ...
Freeware More info & Download

SpywareGuard
SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware ...
Freeware More info & Download

Perfect Process
Perfect Process is a spyware/adware shield that protects your computer in real-time from more than a 1000 potential spyware and malware programs. The program can also connect to a network machine and ...
Freeware More info & Download

Spybot - Search & Destroy
Spybot - Search & Destroy is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various ...
Freeware More info & Download

Aranea Spywizard
Aranea Spywizard is a adware and malware scanner that scans for various known Dialers, Popups, Toolbars, and other parasites. It performs a very fast registry scan that only takes a second, however ...
Freeware More info & Download

Ad-Aware
AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and o ...
Freeware More info & Download

X-RayPC Spyware Process Analyzer
X-RayPC Spyware Process Analyzer is as a tool to assist expert spyware researchers in quicly analyzing a PC. It performs a quick scan of all active processes, auto-start programs, BHOs, and IE Downl ...
Freeware More info & Download

Webroot SpyAudit
SpyAudit is a small tool that quickly scans your system registry and hard drive space for thousands of known spyware programs. The results are launched in your browser with detailed descriptions on ...
Freeware More info & Download

HijackThis
HijackThis is a tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect, and optionally remove selected items. The program can create a backup of your original ...
Freeware More info & Download

SpywareBlaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and ...
Freeware More info & Download

Bazooka
Bazooka Adware and Spyware Scanner is a small and fast scanning engine that scans your system for more than 460 known spyware and adware installation. This includes keyloggers, activity monitors, Tro ...
Freeware More info & Download

EMCO Malware Bouncer
EMCO Malware Bouncer is a malware removal utility that detects more than 4000 adware, trojans, worms, spyware and dialers. In addition it includes a special removal engine for Alexa Toolbar, HotBar, ...
Freeware More info & Download

XP-AntiSpy
XP-AntiSpy is a small utility to quickly disable some built-in update and authentication features in WindowsXP that may rise security or privacy concerns in some people. For example, there is a serv ...
Freeware More info & Download

Firewall’s:

ZoneAlarm
ZoneAlarm provides essential protection for Internet users. Combining the safety of a dynamic firewall with total control over applications Internet use, ZoneAlarm gives rock-solid protection agains ...
Freeware More info & Download

Sygate Personal Firewall
Sygate Personal Firewall is more than an advanced, user-friendly personal firewall -- it is a bi-directional intrusion defense system. Sygate Personal Firewall ensures your personal computer is comp ...
Freeware More info & Download

Kerio Personal Firewall
Kerio Personal Firewall (KPF) is a software agent that builds a barrier between your personal computer and the Internet. KPF is designed to protect your PC against attacks from both the Internet, and ...
Freeware More info & Download

Jetico Personal Firewall
Jetico Personal Firewall can protect your computer from outside attacks, as well as from malicious programs that are attempting to communicate with the outside. It offers three levels of protection ...
Freeware More info & Download

NetVeda Safety.Net
NetVeda Safety.Net is an application firewall that offers inbound and outbound protection, as well as filtering, parental controls and email safety to protect you from hackers, worms, Trojans and in ...
Freeware More info & Download

SoftPerfect Personal Firewall
SoftPerfect Personal Firewall is a rule based network firewall to protect your PC against incoming attacks from the Internet or the local area network. It offers rule based settings for packet filter ...
Freeware More info & Download

Filseclab Personal Firewall
Filseclab Personal Firewall is a personal firewall that allows you to control which programs can access the Internet and at what times. It offers an automated rules wizard that will prompt you for a ...
Freeware More info & Download

NetBoz Firewall
NetBoz is a burn-and-play network firewall, that boots from a CD-ROM and does not use a hard disk. You can make a firewall out of any old Pentium class PC with min. 64mb Ram. NetBoz provides a compre ...
Freeware More info & Download

Look n Stop Lite
Look 'n' Stop Lite is a rule based firewall that allows you to filter all incoming traffic into your computer by setting up rules for individual ports and protocols. The firewall comes pre-configured ...
Freeware More info & Download

Install AD\AM !

2005-04-28T21:23:00.000+05:30

Install AD\AM, the Secure Windows LDAP Service, Microsoft introduced a portable, scalable, and secure Lightweight Directory Access Protocol (LDAP) database based on their Network Operating System (NOS) Active Directory (AD). This service is called Active Directory [surprise, surprise] Application Mode, or AD\AM for short. AD\AM is a very simple, yet powerful, LDAP service you can use to handle authentication for your online applications, without requiring a full-blown NOS directory.

Why Use AD\AM?
AD\AM is a LDAP database that is primarily used to store users, groups, and other objects that represent organizations or other associations. It allows you to easily implement security within your applications, without having to write a huge amount of validation or user management code.

AD\AM provides the following capabilities, which separate it from AD:

Simple backup and recovery – AD\AM uses a single .dit file, which contains all the database information.
Easy installation and clean uninstall – It doesn't require you to have DNS working nor to install additional components on a server.
Extended support for X.500 directory naming rather than just DNS directory-style naming.
Effortless schema extensions without impacting on production Active Directory environments.
Free download from Microsoft – AD\AM itself does not have a license cost associated with it.
Can run multiple instances on the same machine (similar in concept to multiple instances of SQL Server 2000).

AD\AM has a number of great features that make it perfect for an online authentication system:

Password Policies – AD\AM provides the ability to ensure that a user's password meets certain complexity requirements (e.g., number of characters, case, alpha-numeric, etc.). Have you ever tried to write that code? What a pain!
Encrypted password store – AD\AM uses the same password encryption store as Active Directory, and as such, passwords cannot be reverse-engineered (unless you store them in reversible encryption).
Ability to use Active Directory authentication for internal users – AD\AM can pass off the authentication to Active Directory, allowing AD to authorize internal users to use the online application.

AD\AM has the ability to scale out in proportions similar to Active Directory. So given all the great things about AD\AM, what are its limitations?

AD\AM installs only on Windows XP (SP1 or above), Windows Server 2003 Standard, Enterprise, and Data Center Editions, but not on Windows 2000 (any edition) or Windows Server 2003 Web Edition.
For Windows XP, the AD\AM install is a limited release. You are limited to 10,000 objects within the AD\AM instance.
AD\AM currently does not have complete integration with Microsoft's Authentication Manager (nick-named AZMan). However, this is reportedly cleaned up in SP1 for Windows 2003 (no promises though!).
AD\AM has no capabilities for Kerberos. If you wish to use Kerberos, you need to implement Active Directory (and probably not over the Web!).
Pass-through (or user-proxy) authentication requires domain membership.

AD\AM comes in six different flavors. When you download AD\AM, be sure to select the correct version for your requirements.

File Name	Platform	Download Link	File Size (Bytes)
AdamMUIia64.msi	64-bit	AdamMUIia64.msi	3,574
AdamMUIx86.msi	32-bit	AdamMUIx86.msi	9,880
ADAMredistIA64.exe	64-bit	ADAMredistIA64.exe	10,895
ADAMredistX86.exe	32-bit	ADAMredistX86.exe	8,467
ADAMretailIA64.exe	64-bit	ADAMretailIA64.exe	10,891
ADAMretailX86.exe	32-bit	ADAMretailX86.exe	8,463

You can review the information about the individual downloads from the Microsoft AD\AM download site.

People who mistype 'Google.com' !!!

2005-04-28T19:51:00.000+05:30

Scheme preys on people who mistype 'Google.com'

Security researchers have discovered an attack aimed at would-be visitors to Google.com, one that attempts to download malicious programs onto the computers of people who simply mistype the search giant's Web address.

According to security specialist F-Secure, unsuspecting Web surfers may be bombarded with various types of Trojan horse threats, spyware and backdoors when they go to "Googkle.com." The scheme is meant to take advantage of sloppy or hurried typists, given that on most keyboards the letter "k" key sits next to the "l" needed to type "Google."

Google representatives said the company had no comment on the matter for the time being. In the past, the company appears to have made moves to protect its users against mistyping errors. If a person puts an extra "o" in Google's URL, they are simply redirected to the company's homepage. On the other hand, if someone mistakenly adds a fourth "o" to Google, they are directed to USseek.com, a Web portal that offers pop-up advertising for an online casino.

In an advisory, F-Secure strongly advises people not to go to Googkle.com. People who do so will see two pop-ups linked to Web sites that install the Trojan programs. One of the programs is a phishing-style Trojan that attempts to garner individuals' online banking information, while another drops phony antivirus alerts on the victim's desktop that attempt to lure people to other infected Web sites.

While relatively low-tech in terms of its social engineering, the URL mistype attack is an approach that has long been incorporated by many different kinds of Internet opportunists, from legitimate companies trying to steal traffic from their rivals or simply piggyback on the success of larger companies, to criminals looking to misrepresent themselves and trick consumers into handing over personal data. In one of the most famous instances of URL deception, the site hosted at Whitehouse.com for several years was an advertisement for pornography, not a link to the office of the president, whose official site is Whitehouse.gov.

TIPS: Building Secure Web Applications - ASP.NET

2005-04-25T12:55:00.000+05:30

Security is the matter of the moment now! Building secure web applications is an integral part of today's web development owing to the alarmingly increasing number of hacking threats.

Some of the key things to keep in mind while building secure web applications are

1. Never expose open SQL Statements in your Code.

A statement "select username from users where username='"+ txtUserName.txt +"' and password ='" + txtPassword + "' "

can be easily hacked by a malicious user to read as follows:-
select username from users where username= ' ' OR ' '='' AND password= ''OR ''=''

The above statement will compare "nothing" to "nothing" which will always return True. This will authenticate the user and fetch the first username in the table.
To avoid such type of hacking always use Stored Procedures which are much secured and also good in Performance.

2. Always switch On Custom Errors in the web.config. They are friendly when switched off, only to us and not friendly when viewed by users. Make sure once you go for deployment, to make it either RemoteOnly or On

An ASP.NET Detailed error page can provide the exact error such as, where the application broke and if due to a SQL End problem, straight away can expose the TableName and thus the DB Structure.

Therefore, always use Custom Errors and take the users to a page which tells "Sorry for the Inconvenience..." once an error occurs in your application.

3. Validate all data received as input from the clients. A search textbox which gets search text from the user can very well prove an excellent source for a hacker to embed his SQL Statements, Scripts.

Therefore, ensure you turn the ValidateRequest="True" at the Page directive or do it at the web.config level. Also, validate if the text entered contains any statement like SELECT, DELETE etc., before processing the information.

4. Never use sa username for your DB Connection String. Its most vulnerable and can be compromised with. Always use a custom Username and Password to access the database from your application.

5. Never store Passwords in your Database as plain text. Hash them or encrypt them to make them secured. Also, sending the password by Email is another source of security threat.

There are many more secure strategies which when followed provide a safe environment for your applications and perhaps can save a Bad Day for you due to hacking.

via Harish

Building Secure Web Applications using ASP.NET 2.0 ("Whidbey")

2005-04-25T12:34:00.000+05:30

In .NET Framework 2.0 ("Whidbey"), ASP.NET has undergone a lot of enhancements. Building secure web applications is one of the aspects that deserves good attention. There are many new features introduced such as Login Control, Membership API and Personalization API which helps in increasing the productivity of developers.

In .NET 1.1, you can leverage the Forms Authentication to take your anonymous users to the login page. The "Login Page" is your call and you need to code the logic for validating a user against his credentails. Now, you dont need to do it in 2.0. Microsoft has provided cool features like Login Control which you can just drag and drop! and use it for validating your users. It has provided controls for Creating, Modifying, Assigning roles and deletion of users. All of this without you writing single code.

In .NET 1.1, Forms Authentication works on Cookie based scenarios. This has been changed and in 2.0, Forms Authentication woirks for both cookie based and cookieless scenarios. So, your .NET 1.1 code will work very well when moved to 2.0 Framework.
For Cookie based scenarios, it will work the same as earlier and for Cookie Less Scenarios, the Cookie information is encrypted and attached as a querystring value to the URL. Its a long chunk of characters which determine the User's identity and validity.

The Membership API, allows you to manage users effectively, without writing a single line of code. There is also a Website Administration Tool, which comes automatically and from there you can do a website administration for your applications.
In general, the focus has been towards increasing the developer's productivity and automating the plumbing work done which earlier, had to be done manually.
For more information check ASP.NET 2.0

via Harish

Object Level Security Auditing ( Target only what is required in Auditing )

2005-04-19T19:54:00.000+05:30

Its no big secret that Windows Server 2003 allows you to perform auditing in fine granular detail. The only problem is that if you audit too many events, your audit logs will be huge and looking for a specific event in the security logs will be like looking for the proverbial needle in the haystack. Because of this, I always recommend that organizations audit only the events that would most likely reflect a security breach or an attempted security breach. These events usually consist of logon failures, account management successes and failures, and successful or failed policy changes. These and other common events can easily be audited by enabling the appropriate audit option within the group policy.

More...

The Definitive Guide to Securing Windows in the Enterprise.

2005-04-18T16:32:00.000+05:30

Complete eBook Now Available!

The Definitive Guide to Securing Windows in the Enterprise, written by industry expert Don Jones, introduces often-overlooked areas of Windows security and provides practical advice for handling them. In addition, the guide explores tools and techniques that can overcome possible Windows shortcomings and missing capabilities to help you to develop a more comprehensive, detailed, and functional security plan for any Windows enterprise.

Get the book.
Happy Readin...

DNS Server Security!!!

2005-04-18T14:49:00.000+05:30

As you probably know, the Active Directory is completely dependant on the DNS services. However, DNS was originally designed as a mechanism for resolving host names into IP addresses on the Internet. Although the task of resolving host names on the Internet is procedurally very similar to the task of resolving host names for the Active Directory, the fact is that the DNS services were not originally intended to handle the demands of an Active Directory environment.

DNS has traditionally been a static mechanism. In an Internet environment, a DNS Serverâs records (for which the server is authoritative) only change when an Administrator adds, deletes, or modifies a record. This usually only happens if a new domain name is registered, a server changes IP addresses, a domain name is relinquished, or in other similar situations.

By comparison, Active Directory environments are much more dynamic. Any time that a new workstation or server is added to an Active Directory domain, a corresponding DNS entry must be created that associates the PCâs name with itâs IP address. The problem is that DHCP servers are commonly used to dynamically assign IP addresses to workstations. This means that a workstationâs IP address can change on a frequent basis. To keep the Active Directory functioning correctly, the DNS record that corresponds to a machine must be updated every time that the machineâs IP address changes. Since this would be nearly impossible for an administrator to keep up with manually, Microsoft includes dynamic DNS services with Windows servers.

In a traditional DNS environment, only the Administrator makes changes to DNS servers. In a dynamic DNS environment however, every workstation on the entire network has the authority to make changes to the DNS serverâs record set. The trick is therefore to prevent changes from being made to DNS records that might be incorrect or malicious.

Microsoft solved this problem by designing the DNS services so that they supported multiple zone types. A normal DNS server supports primary, secondary, and stub zones. A Windows based DNS server supports these same types of zones, but gives you the option of creating Active Directory integrated zones (assuming that the DNS services are running on a domain controller).

For the most part, an Active Directory integrated zone functions similarly to a zone that isnât integrated into the Active Directory. The main difference is that an Active Directory integrated zone stores its records within the Active Directory rather than in a zone file. This allows zone information to be portable, but there is a more important reason for the Active Directory integration.

A traditional DNS server does not maintain any type of zone security. By moving zone information to the Active Directory, it becomes possible for Windows to associate an access control list (ACL) with the zone. Of course, all of this happens behind the scenes when you initially setup Active Directory. Windows automatically configures the ACL so that authenticated users have the Create All Child Objects permission. This allows a DNS entry to be created when a workstation comes online (assuming that the entry doesnât already exist), without giving users sufficient rights to do anything destructive. Domain Admins, Enterprise Admins, and Domain Controllers have higher levels of access that allow full DNS management.

The reason why it is important to know about this is because Windows allows you to convert an Active Directory integrated zone into a non Active Directory integrated zone, and visa versa. Granted, this isnât exactly something that you would do on a daily basis, but converting to a non Active Directory integrated zone allows zone information to be exported to a file. This is a common requirement in DNS related disaster recovery scenarios. When you convert an Active Directory integrated zone into a non Active Directory integrated zone, Windows removes the zoneâs ACL. This means that there is no longer any security protecting the zone.

As I mentioned earlier, you can convert a zone into an Active Directory integrated zone. If you do this and your DNS Server is running Windows Server 2003, then the ACL is automatically reconstructed (with default values). However, there is a bug in Windows 2000 Server that causes the ACL not to be created if a zone is converted into an Active Directory Integrated zone. Therefore, if your DNS server is still running Windows 2000, it might be worth your while to check out your zoneâs ACL to make sure that it isnât empty. To do so, just right click on the zone within the DNS console and select the Properties command from the shortcut menu. The zoneâs ACL is located on the Security tab.

Good read, via msd2d.com

Differences Between IDS and IPS

2005-04-18T00:22:00.000+05:30

"An interesting article explaining differences between IDS n IPS..."

With the rapid increasing of internal threats, and those that easily bypass traditional perimeter security defenses, organizations must think about security beyond the perimeter. To meet these demands many organizations have looked to Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). While IPS and IDS are an important feature in a layered security deployment, products falling under these categories only partially address the unique requirements of internal networks.

IPS and IDS originally were designed to address requirements lacking in most legacy firewalls and traditional perimeter defense systems. IDS solutions are typically used to monitor potential intrusions after the fact, and IPS solutions are focused on identifying and blocking attack traffic. IPS's inherited from their IDS predecessors both a reliance on reactive signatures to detect attacks and an orientation for perimeter security. While both systems play a critical role in preventing external attacks, neither is prepared to completely protect an organization from internal threats. Read more...

Microsoft Security Risk Self-Assessment Tool (MSRSAT)

2005-04-17T17:56:00.000+05:30

Download the Microsoft Security Risk Self-Assessment Tool (MSRSAT) and install it on your computer to obtain information and recommendations about best practices to help enhance security within your information technology (IT) infrastructure.
This application is designed to help organizations with fewer than 1,000 employees assess weaknesses in their current IT security environment. It will help identify processes, resources, and technologies that are designed to promote good security planning and risk mitigation practices within your organization.

My Views:

" One can see great effort put in Compilation of this tool "

" Would have been great if baseline security analyzer was integrated with it! "

" It lets you compare your scores against the scores of others in your industry! "

>> In an all a good security assesment tool for your organization!

< Download: 3.4 MB, Requires .NET Framework 1.1 >

Secure your Applications!

2005-04-17T16:59:00.000+05:30

Developing secure software is the MANTRA of today's developers. Security is through out the software development lifecycle (SDLC), and not alone Development. Starting from Design, through development, to testing and deployment, a multi-disciplinary approach must be taken to deliver a quality Secure software product!

Application Security Assurance Programs (ASAP) helps you to ensure that IT assets are fully secure and compliant with privacy directives.

Check out the Webcasts and other Links for more information on how to secure your application:

via ARUN

SSL Diagnostics Version 1.0 (x86)

2005-04-02T17:05:00.000+05:30

A common problem for administrators of IIS servers is configuring and troubleshooting SSL enabled websites. To assist in administrators efforts, Microsoft has designed a tool - SSL Diagnostics - to aid in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.

This tool allows users to review configuration information in a easy to read view mode or to run the tool silently with only the creation of a log file. During use, administrators can simulate the SSL handshake to find errors. They can also quickly "hot swap" certificates for testing purposes.

These packages come in two forms: Express and Full. The express will only give the pertinent tools for administrators to use SSL Diagnostics while full install installs the same files with the appropriate documentation. Included in the full install is a SSL Frequently Asked Questions that can assist in the learning of SSL for administrators.

Windows Server 2003 Service Pack 1

2005-04-01T19:36:00.000+05:30

Windows Server 2003 SP1 provides enhanced security, increased reliability, and simplified administration to help enterprise customers across all industries.

You can find in-depth technical information about Windows Server 2003 SP1 at the Windows Server 2003 TechCenter on TechNet.

You can get Windows Server 2003 SP1 by downloading the service pack or by ordering the CD.

Related Links:

# via MVP Jubo

Best Practices for the Security APIs

2005-02-01T19:50:00.000+05:30

This documentation provides information about best practices for secure software.

Running with Special Privileges
Discusses security implications of privileges.

Avoiding Buffer Overruns
Provides information about avoiding buffer overruns.

Creating a DACL
Shows how to create a discretionary access control list (DACL) by using the Security Descriptor Definition Language (SDDL).

Handling Passwords
Discusses security implications of using passwords.

A security option in IE you may wish to change !

2005-01-31T13:35:00.000+05:30

I just picked up some very interesting information via colin's blog.

It seems that in IE javascript can extract data out of your clipboard. It doesn't work with FireFox either because the feature is not supported or off by default. Luckily, it is a security option and it can be disabled.

Go to Tools --> Internet Options...
Click on the Security Tab
Select Internet Zone and then click Custom Level...
Scroll down to the scripting section and see "Paste operations via script"
Change the value to Prompt or Disable

Can't Believe what i am saying, see it in action by copying some text, and clicking the link: Show clipboard contents

Only IE and other IE based browsers are @ risk, like Maxthon / MyIE2, no probs with firefox,netscape,etc...

SQL Injection Attacks and Some Tips on How to Prevent Them

2005-01-31T13:28:00.000+05:30

Introduction

Security in software applications is an ever more important topic. In this article I discuss various aspects of SQL Injection attacks, what to look for in your code, and how to secure it against SQL Injection attacks. Although the technologies used here are SQL Server 2000 and the .NET Framework the general ideas presented apply to any modern data driven application framework, which makes attacks potentially possible on any types of application that depends on that framework.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are two main types of attack. First-order attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email. Second-order attacks are when the attacker injects some data that will reside in the database, but the payload will not be immediately activated. I will discuss each in more detail later in this article.

Read the full article

More Links:
SQL A to Z Here: www.extremeexperts.com
SQL Server DO's and DON'Ts
Unauthorised access to a SQL Server, and how to prevent it

Keeping Secrets Secret: Steganography with .NET

2005-01-27T02:05:00.000+05:30

Steganography is a way to protect information by hiding it "in plain sight" within other types of digital content. Steganography complements rather than replaces encryption by adding another layer of security -- it's much more difficult to decrypt a message if you don't know that there is a message. See how to leverage .NET to create steganographic techniques that hide encrypted information inside common digital data files.

teganography, literally "hidden writing," is nowadays most often associated with embedding data in some form of electronic media. Data is hidden by adding or altering insignificant bits of information of a file. For example, an algorithm designed to embed a text message might slightly alter information describing the RGB composition of a pixel for an image file.

This article illustrates a typical steganography (or stego) application scenario. The application receives the data to hide as input -- text, audio, video, or image -- and the file in which data will be hidden, called the cover file. The stego file is the result of the process. Although it contains the original cover file data as well as the hidden stenographic information, the stego file is virtually identical to the cover file.

This article introduces the most common stenography algorithms and techniques. Then, it shows how to design and implement a .NET library to hide text messages in 24-bit bitmapped (.bmp) files. The sample code includes both a command-line and a GUI application that serve as proof of concept and let you experiment with the techniques discussed.

Page 1: Introduction
Page 2: The Stego Library
Page 3: The BMPCoverFile Class
Page 4: The BMPStegoFile class
Page 5: Building Client Applications

Implementing Encrypted SQL Server Database Columns with .NET

2005-01-27T00:11:00.000+05:30

Many government agencies needing HIPAA compliance, such as HUD, require encryption of certain database columns. For systems tracking victims of domestic abuse, it's critical to encrypt personally identifiable data. Fortunately, implementing encrypted database columns is simple using .NET and SQL Sever 2000.

by David Talbot

Page 1: Introduction
Page 2: Introducing AES Encryption
Page 3: Applying AES Encryption to Databases
Page 4: Encrypting and Storing a Record
Page 5: Finding and Decrypting a Record

Harden MS Reporting Services Using Custom Extensions

2005-01-26T23:57:00.000+05:30

An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.

by Teo Lache

Page 1: Introduction
Page 2: Internet Reporting
Page 3: Understanding RS Forms Authentication
Page 4: Introducing the Adventure Works Portal
Page 5: Setting Up the Forms Authentication
Page 6: User Authentication
Page 7: User Authorization

Vulnerability on .Text Blogs

2005-01-26T21:02:00.000+05:30

Click here to read my article on " Vulnerability on .Text Blogs "

Highly Recommended !

illustrations of this Vulnerability are also shown.

Discovery of this Vulnerability by:
Thota Umesh # 24/01/2005.

Digital Black Belt Webcasts: Defend Your Code from Attacks

2005-01-22T01:41:00.000+05:30

Hackers are busier than ever. Do you know how they attack? Is your code ready to stand up against those attacks? If you answered no to either of these questions, join us for the Digital Blackbelt webcast series as Developer Community Champion Joe Stagner discusses security risks, vulnerabilities, and solutions from the software developer's perspective. We will provide real-life examples and security tips and tricks that can help you gain the knowledge and techniques to become an experienced blackbelt in writing secure code.

Bonus: Be one of the first 300 to attend six live webcasts in this series (and submit an evaluation) and you will receive an official Microsoft security blackbelt!* And by attending a live webcast in this series and submitting an evaluation, you will qualify to win a Portable Media Center (official rules) pre-loaded with our (ms) best security webcasts!

MSDN Webcast: Digital Blackbelt Series: The Software Security Crisis: Selling Management on the Need to Invest in Secure Software Development (Level 100)

Friday, February 4, 2005 11:00 A.M.-12:00 P.M. Pacific Time, United States and Canada (UTC-8)

Tune in for an introduction to the Digital Blackbelt Series. Learn about the evolving "Secure Culture" at Microsoft Corporation and how your company can save money by spending defensively.

MSDN Webcast: Digital Blackbelt Series: Building an Intentionally Secure Development Process (Level 200)

Friday, February 18, 2005 11:00 A.M.-12:00 P.M. Pacific Time, United States and Canada (UTC-8)

Tune in for a discussion of organizational considerations, process hierarchy, lifecycle management and support tools. This will be the framework that you will use to organize and insure secure technologies.

I,Secure

2005-01-21T17:22:00.000+05:30

Browsing the Web and Reading E-mail Safely as an Administrator, Part 2
Michael Howard builds upon his previous article by showing you how to use SAFER with local or enterprise policy to reduce potential threats when running as an admin. (January 17, Article)

Use Role Based Security with the Web Services Enhancements 2.0
See how WSE 2.0 integrates X.509-based WS-Security authentication with role-based security features in the Microsoft .NET Framework, and how to use WS-Policy in WSE 2.0 to greatly simplify tasks. (January 17, Article)

Guidance on Patterns & Practices: Security
Keith Pleas discusses how to create secure applications on the Microsoft platform with patterns & practices guides described in this article. (January 15, Article)

TulaFale: A Security Tool for Web Services

2005-01-19T16:48:00.000+05:30

TulaFala looks pretty interesting. Its the part of the Samoa Project i blogged abt in the earlier post visit http://securing.ws/,Site also contains tons of links to resources dealing with web services and security related aspects.

Download : TulaFale: A Security Tool for Web Services

Samoa: Formal Tools for Securing Web Services

2005-01-19T16:35:00.000+05:30

Microsoft Research, Cambridge

An XML web service is, to a first approximation, a wide-area RPC service in which requests and responses are encoded in XML as SOAP envelopes, and transported over HTTP. Applications exist on the internet (for programmatic access to search engines and retail), on intranets (for enterprise systems integration), and are emerging between intranets (for the e-science Grid and for e-business). Specifications (such as WS-Security, now at OASIS) and early toolkits (such as Microsoft's WSE product) exist for securing web services by applying cryptographic transforms to SOAP envelopes.

The underlying principles, and indeed the difficulties, of using cryptography to secure RPC protocols have been known for many years, and there has been a sustained and successful effort to devise formal methods for specifying and verifying the security goals of such protocols. One line of work, embodied in the spi calculus of Abadi and Gordon and the applied pi calculus of Abadi and Fournet, has been to represent protocols as symbolic processes, and to apply techniques from the theory of the pi calculus, including equational reasoning, type-checking, and resolution theorem-proving, to attempt to verify security properties such as confidentiality and authenticity, or to uncover bugs.

The goal of the Samoa Project is to exploit recent theoretical advances in the analysis of security protocols in the practical setting of XML web services. Some early outcomes of this research include an implementation of declarative security attributes for web services and the design of a logic-based approach to checking SOAP-based protocols.

Read More

.NET Security Guidance Links

2005-01-19T16:26:00.000+05:30

Application Security Webcast - Slides

Supporting Artices from the Security Webcast

MOM 2005 Security Without Active Directory

2005-01-19T16:15:00.000+05:30

You Can Use MOM 2005 Without Active Directory
Unfortunately, it was not made clear in the MOM 2005 documentation, but you can deploy and successfully use MOM 2005 without Active Directory. Although MOM 2005 installs and functions (for the most part anyway), there are a few features that are not available without AD. I will concentrate upon the security features right now, but there are other features, such as Discovery, that are either not available or are affected in some way without AD.

The Security Features Not Available without AD:

Mutual authentication - It will not be possible for MOM to have agents and Management Servers positively authenticate each other. This feature was offered to help mitigate man-in-the-middle attacks and spoofing attacks.
Reject manually installed agents - all manually installed agents will show up in the Pending Actions folder even if the feature is selected. This feature was offered to help mitigate rogue administrators installing agents without, or even against, IT policy.
Prevent agent proxying - agents will not be blocked from sending data form other computers or network devises. This feature was offered to help mitigate spoofing attacks and certain DoS attacks.

The Security Features Still Available without AD:

Block Legacy Agents - You can still block pre-MOM 2005 agents form communicating with the Management Server.
Secure Communications Channel - this encryption channel between the agents and the Management Server does not require AD.

What does this mean? Basically, this means MOM 2005 will be less secure in these respects and I know of no way to use other means to substitute these intended mitigations. In todayÃÆÃÂ¢ÃâÃâ¬ÃâÃâ¢s security-conscious world, I thought all should be aware of this.

Note - The MOM Management Server ~~must~~ do not have to be a member of a domain. For more information, see the MOM 2005 Supported Configurations document either on the product CD (root/RelDocs/SuppConfg.htm) or online .

Note about the above note - OK, the MOM servers (Management Server, Database Server, and Reporting server) do NOT have to be in an AD domain.

For more information about these features and MOM security in general, see the MOM 2005 Security Guide

(Download or TechNet)

Moral of the story - Use Active Directory

Via James Morey

Windows worm travels with Tetris

2005-01-18T22:13:00.000+05:30

The version of Tetris is recognisable and just as playable

Users are being warned about a Windows virus that poses as the hugely popular Tetris game.

The Cellery worm installs a playable version of the classic falling blocks game on PCs that it has infected. While users play the game, the worm spends its time using the machine to search for new victims to infect on nearby networks.
The risk of infection by Cellery is thought to be very low as few copies of the worm have been found in the wild.

Protect yourself

The Cellery worm does not spread via e-mail like many other viruses. Instead it browses computer networks for PCs that have not shut off all the insecure ways they connect to other machines.

When it infects a machine, Cellery installs a version of Tetris that users can play. As the game starts up the worm also starts a music file to accompany it. At the same time the virus starts scouring networks for other vulnerable machines. The virus does no damage to machines but heavily infected networks could slow down as scanning traffic builds. Productivity may suffer too if users spend time playing Tetris.

PCs running Windows 95, 98, ME, NT, 2000, and XP could be vulnerable to the worm.

"If your company has a culture of allowing games to be played in the office, your staff may believe this is simply a new game that has been installed - rather than something that should cause concern," said Graham Cluley, spokesman for anti-virus firm Sophos.

So far the number of people infected by Cellery is thought to be very small and the risks of further infection is very low. Sophos urged users and companies to update their anti-virus software to keep themselves protected.

Swap Data More Securely with XML Signatures and Encryption

2005-01-17T00:14:00.000+05:30

TRUSTWORTHY CODE

Exchange Data More Securely with XML Signatures and Encryption

By Mike Downen and Shawn Farkas

Parts of this article are based on a prerelease version of the .NET Framework 2.0. All information pertaining to those sections is subject to change.

This article discusses:

XML Signature and XML Encryption standards
Digital signing and encryption features in the .NET Framework 1.x and 2.0
X.509 certificate integration

This article uses the following technologies:
XML, .NET Framework, C#, Security

Code download available at:
XMLSignatures.exe (241KB)

The XML Signature and XML Encryption standards are being used extensively as building-block technologies. MicrosoftOffice InfoPath uses XML signatures to sign partial or whole forms. Web services use XML signatures to sign SOAP messages and XML encryption to encrypt them. The XML manifests for ClickOncebased applications, new in Visual Studio 2005, also use XML signatures. The .NET Framework 1.x includes an object model for the XML Signature standard, and the .NET Framework 2.0 adds additional support, while adding an object model for XML encryption as well. This article explains the XML Signature and XML Encryption standards and shows you how to use them with .NET. For the actual XML Signature specification, see the W3C standard at XML-Signature Syntax and Processing.

Read the full article

Nightmare !!!

2005-01-16T02:36:00.000+05:30

How to get rid of ur worst nightmare (worms on ur system!)

Say you left your system to complete certain download tasks or to update itself when you come back, your firewall is crashed and u have a nasty worm/spyware on your system,
ever experienced a scenario where your trusted antivirus software cant help u, what do u do ???

well, the general answer would be I would check for the tasks/processes running on system to evaluate any suspicious activity u might use taskmanager or winspy etc then what ? this oneliner lol, is the most frequent one to my tech-support calls from my friends and friends of friends & ...

" i kill the task and it pops back again, i delete the file and it comes back again"

well we all have experienced that havn't we, so here's certain things to do / not to do

First restore your firewall (else disconnect from internet) to avoid further welcoming other malware!

TIP: if u cant disable the internet from the taskbar connectivity tab then stop/disable terminal services on windows services

Now, for many new spywares there removal requires special downloads to clean it off the system let us assume we dont have one on board and that the spyware effected HOSTS file (many do @least few of the ones i encounter'd) forget trying to access any antivirus sites and dont get surprised if u get routed to some other offensive page, So what to do before system goes critical!

TIP: its generally wise to hav a latest virii scanner and cleaners like stinger,etc to be burn'd into a cd for emergency

if we kill the task it pops back up also if u delete the file say c:\windows\system32\loadnew.exe (yaa its a spyware) it too pops back up so any solution ?

TIP: many worms take the user's ignorance to their 'benifit of the doubt', u watch a process being run from sys32 directly u might leave it to do its nasty work, so generally almost 90% of spywares/worms get downloaded to sys32 or win folder. dont fall for it!

Answer to this problem would sound funny but actually works better than the classical
{list the path of the file-reboot to dos-delete the file} this is good @least used to be good until we got NTFS say even our primary drive (drive on which OS is installed)

TIP: it is not a good practice to hav OS drive partitioned into NTFS as its timetaking and troublesome to fix any problems like the one above and many many more...

taking the worst of worst case scenario lets consider we have a NTFS Primary drive so generally the only EXTREME alternatives i find people to be talking is - to either FORMAT or to make ur hardisk into slave run an antispyware scan from a different OS etc, etc WORSE would be to run it ignoring the spyware! Coming back here is the answer what to do:

COPY CON IT :) Yes! create a file with the same name and make it a read-only and hidden file!

Example:

say my firewall failed and i got a headache spyware downloaded to my system "c:\windows\system32\loadnew.exe"

first terminate the process in the memory use taskmanager or winspy

next delete the file listed in the path u read on taskmanager or winspy. (if u wish to experiment rename it into a non executable extension!)

NOW CREATE A DUMMY FILE WITH THE SAME NAME AS SPYWARE

I USE CMD SHELL: copy con c:\windows\system32\loadnew.exe

what do u have/type in that dummy file ? Well, u can have/type your name LOL

then convert the file to hidden and read-only just as a precaution.

Once this is done be sure to get an application error even before u launched anything saying - "c:\windows\system32\loadnew.exe" is not a valid win32 file.

this is because the worm initially writes into the windows registry for auto-starting itself once its process is terminated but here when the process is restored or attempted to restore it launches a file with your name LOL, and since the file already exist the worm would not try to replace the file (remember the precaution thats for - if it tries)

Remember this procedure is only to get rid of the worm and to access internet for downloading of the removal tools remember u still have some registry to clean.

TIP: it is good to make your HOSTS file to read-only this will LIMIT the extent of any worms damage and ease up restoration and cleaning activity

Article details:
Name : ER from Spyware
level : Anyone

No more a Nightmare ;) lol

Trojan WMVs download a dictionary of spyware Beware!!!

2005-01-15T09:37:00.000+05:30

Microsoft's rights management technology is already being sussed out by hackers, and the result is a pair of wmv files that instead of downloading licences to validate them, download a dictionary of spyware. PandaLabs says it has picked up copies of WmvDownloader.A and WmvDownloader.B. The files are in fact Trojan viruses and, with their .wmv file format, will trigger Windows Media Player into thinking they are the Windows Media video format.

If a user plays the file, Windows Media Player will see that it has to licence attached and will look out on the Internet for one.However, rather than download a licence, the search is redirected to sites that subsequently download a host of seven adware components, a couple of diallers, three spyware programs and another downloader virus.

PandLabs says it has seen most of these copies out on peer-to-peer networks, but warns that there is nothing preventing them turning up in email attachments or burned to a CD.

Ironically, those at risk are Windows XP users with Service Pack 2 installed and the latest version of WIndows Media Player - version 10.

However, most antivirus companies began offering protection against these viruses around 5 January, so users with up to date protection should be safe.

Hardening Your Web Server

2005-01-15T08:59:00.000+05:30

There are a number of procedures u can typically follow in preparing Web servers to go live on the Internet:

Always keep security patches up to date. Applications to check include the server OS, IIS, SQL Server, FrontPage, Office, and SharePoint Team Services. notify customers when u get new security bulletins.
Run the Microsoft Baseline Analyzer tool on the server until all patches are complete and other exposures are minimized; then run the IIS Lockdown Tool and URLscan wherever possible.
Enforce the use of role-based security and strong passwords on everything and everyone who can change anything on the server.
All content sites are housed on a different hard drive than the OS and other key resources. Different customer's sites are housed in separate unrelated directory structures. Disaster and recovery procedures should be in place and in practice for every server.
All sample sites and unused sites (like the IIS admin and the default site) are removed or incapacitated. All unused applications and services are removed or disabled.
The server is behind a firewall with all ports closed except the ones I use.
Use host anonymization software like ServerMask from Port80Software. This hides the server's identity, vendor, and version in the host header from malicious hackers.
Proactively test customers' applications to make sure that there are no obvious security holes. In addition to testing their applications from the browser,
for testing Web application vulnerabilities: GreenBlue Inspector lets me view request and response headers, cookies, and forms input. It also lets me test for buffer overrun vulnerabilities and SQL injection vulnerabilities, two of the most common security failures in Web applications. (See the Resources box at the end of this article and the Toolbox column in this issue.)
Always keep a watchful eye on your server's logs.

Resources

Honey Pots and Other System Security Strategies
The Honeynet Project
Honeypots Solutions
snort_inline
Microsoft Security Support

General Security Tips
Network Abuse Clearinghouse
Building and Configuring More Secure Web Sites
How IIS Authenticates Browser Clients

Using Host Headers to Set Up a Multihomed Server
www.winnetmag.com/Article/ArticleID/7176

How to Build a Web Development Environment
www.winnetmag.com/Article/ArticleID/7403

Interpreting Your Log Files
Troubleshoot Kerberos-Related Issues in IIS (Including error codes)

Useful Tools
Microsoft Baseline Security Analyzer
IIS Lockdown Tool with URLscan
Ecyware GreenBlue Inspector
Web Server Anonymization and Obfuscation and Other Useful Tools

Beat Hackers At Their Own Game With A Hackerbasher Site

2005-01-15T08:54:00.000+05:30

Beat Hackers At Their Own Game With A Hackerbasher Site
Learn a strategy that will divert port 80 attacks away from unsecured public Web sites into a dead end where they can't do damage.

Prevent automated attacks from reaching legitimate Web domains

Automatically divert attacks into a dead end

Get a single log that shows all attack traffic

Are u under a barrage of attacks ??? hackers and crackers with automated IP port scanners can swamp a Web site with bogus requests and failed logons.The sheer volume of this traffic can reduce response times and overload service request logs. Failed logon attempts (sometimes several hundred in a minute) can obliterate legitimate security reporting in the event viewer. Even if the hacker never gains access to anything, your Web site suffers. I use several procedures to minimize the attack surface. But even after hardening the server and putting it behind a firewall, it is still vulnerable to attacks on port 80.

Failed Logons from an Automated Attack

Many of these attackers appear to be crackers,thrillseekers who simply want to break into something. Crackers usually sniff around for the obvious stuff such as unsecured databases and leftover developer sample files. Obviously, some attackers are on a mission to get in and do damage.

In this article, an easily implemented strategy is presented that uses HTTP 1.1 host headers to divert port 80 attacks away from unsecured public Web sites into a dead end where they can't do damage. the site, called Hackerbasher, stops the automated attack and records the details about the attack along with the IP address used by the attacker. Hackerbasher doesn't require any special software and its only cost is the time it takes to set it up on your server. You also get the added benefit of being able to monitor port 80 attacks in a single log file.

READ THE FULL ARTICLE

So how do we track down these people? One way is to use a honeypot: an information system resource intended to receive unauthorized or illicit use. The Honeynet Project was set up so that the good guys can watch and analyze what hackers do. The Honeynet Project reports that the average life expectancy of a honeypot on the Internet is 72 hours. The shortest known manual compromise time was 15 minutes, but a worm got the job done in 15 seconds.

I,Secure

2005-01-15T00:01:00.000+05:30

Harden MS Reporting Services Using Custom Extensions
by Teo Lachev
An incredibly flexible extensibility model is included with Microsoft Reporting Services and hammering down a custom security model is one smart way to take advantage. Shore up your implementation with forms authentication and role membership.

Implementing Encrypted SQL Server Database Columns with .NET
by David Talbot
Many government agencies needing HIPAA compliance, such as HUD, require encryption of certain database columns. For systems tracking victims of domestic abuse, it's critical to encrypt personally identifiable data. Fortunately, implementing encrypted database columns is simple using .NET and SQL Sever 2000.

Protect Yourself from PHP Worms
by Laurence Moroney
Don't just change your code to protect yourself from attacks such as the Santy or PHPInclude worms ---- change your tactics.

Demo: Adding Security to Web Services
Security is an important concern when using Web services in an enterprise. This demo shows you how security is added to a Web service invocation by modifying the Web service deployment descriptor. Three different security techniques are demonstrated:
Basic authorization; Signing a SOAP message; and Encrypting parts of the SOAP message. View the demos in this two-part series.

Hackers Sniffing For Vulnerable Microsoft Servers

2005-01-09T10:49:00.000+05:30

A vulnerability within Microsoft's WINS (Windows Internet Naming Service), a component of popular server software such as Windows Server 2003, has been heavily exploited since the last day of 2004, several security organizations reported Tuesday. (jan 4th)

Although the vulnerability was patched in mid-December by Microsoft, the Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) at the Indiana University have seen a drastic increase in the number of probes directed at WINS services (TCP and UDP ports 42). "Patching these systems is now overdue," said the SAN Institute's Internet Storm Center in an online alert.

"Additionally, WINS services probably should not cross your border router...so block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this," the Center continued.

The patch for the WINS issue can be found on Microsoft's Web site.

Best Practices for Delegating Active Directory Administration

2004-12-25T17:49:00.000+05:30

Active Directory provides an enterprise-ready, scalable, distributed directory service that allows organizations to centrally manage and share information about network resources and users, and is the central focus for network security. Active Directory thus plays a major role in accomplishing the business goals of your organization, and your ability to successfully manage Active Directory has a direct bearing on your ability to accomplish these goals.

Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. This document discusses in depth the issues involved in delegating administrative responsibilities, and can help you plan for and implement an administrative delegation model for more securely and efficiently managing Active Directory.

Building Secure ASP .NET Applications

2004-12-21T17:38:00.000+05:30

Guidelines for authentication, authorization and secure communication across the tiers. Topics include ASP.NET, Enterprise Services (COM+), Web Services, Remoting, and data access (including ADO.NET and SQL Server).

Building Secure ASP .NET Applications .pdf Download

Yeh !!!

2004-10-27T11:44:00.000+05:30

My Security Blog has 100+ posts !

MSDN Magazine November // security //

2004-10-26T19:20:00.000+05:30

" Read this month's MSDN Magazine,
focus on SECURITY "

Download the complete code from this issue:
MSDNMag0411.exe (1,868 KB)

Download this complete issue in HTML Help format:
MSDNMag0411.chm (1,274 KB)

NOVEMBER 2004Volume 19 Number 11

Read Online

most popular password ???

2004-10-26T01:49:00.000+05:30

What's the most popular password ???

On average, the human brain can hold only five to nine "random bits of information" in short-term memory. Considering the brain's limited capacity and the sheer number of secret names, codes, and words a person needs to remember in this password-protected age, it's no surprise that the most common password is simply "password."

Besides serving as an easy-to-remember code for less-creative computer users, "password" is often used as the default password for many web sites and programs, making it extremely common and not at all secure. In other words, "password" is a bad password.

Other perennial favorites include "God," "sex," "money," and "love." Passwords based on the names or birthdays of partners, children, or pets are also quite common. Here's a pretty lengthy list of common passwords. Make sure to scan it and look for yours. If yours made the list, it's probably a good idea to change it.

source: AskYahoo!
check if ur password is among the common passwords used!

Security Report: Windows vs Linux

2004-10-25T15:38:00.002+05:30

A security report detailing the Design, Security and Severity Metrics of both windows and linux. also contains comparision of recent 40 patches for both OSs in a big table. ( u might want to increase the browser text size to read that )

Me, Geekswithblogs

2004-10-25T14:00:00.001+05:30

Yes !!!, i now hav a blog on GWB .
My new blog will be a Technology Blog thats going to compete my security blog.

My security blog continues...
http://www.secureblog.net

My Technology blog:
http://www.geekswithblogs.net/umesh

5 key things you can do to improve your online security

2004-10-24T19:52:00.000+05:30

SPAM ( now and again )

2004-10-22T16:48:00.000+05:30

[updated:25/08]

How do u get SPAMMED:

Spammers get your email address from various advertising sites
(ever subscribed hoping to get free gifts, etc.) also from your profiles, forums, groups and even Search Engines. SpamBots work 24/7 scanning google and other search engine pages resulting in a DB of all our email addresses for spammers to spam, few search engines like google tries its max not to list any email address resulting from its search but many of us post our email address on yahoo and msn profiles don't we !!! apart from that many groups and forums sites inc. yahoo ! and msn :( have no protection against these spambots, i.e. our email address is free to be scanned and copied!

some forums have email protection employed check out www.computing.net site, u can post get replies to the post to your email address to but spambots cant scan the email address since they are not displayed hence your email address are safe to use hope msn & yahoo get this ON soon on there groups seeing the amount of spoof-mails that are getting posted everyday. and then we have Trojans nasty little worms few of which which even spam all friends in our address book resulting in a spammed chain

so next time don't curse spammers if u are getting spammed !!! because we are equally responsible.

Here are some tips to keep spam away from your email :

why would anyone get free gifts from an unknown source for no reason ??? believe me nothing for free on net ( unless its on HTTPS and is verified by eTrust and has a good PRIVACY Policy. LOL ) don't fall for it and register your email address they are the abyss to Spamdom !!!
Don't post your email in your profiles or any other public site unless u are trying to get the attention of spammers.
Keep yahoo and msn groups closed for public access else spambots can access and scan for email addresses in the group.
If u must post your email address OPEN then post that of an alias or an email forwarder address so that u can delete it once you start getting spam for that email check out yahoo's spam protection email service or use a free email address for all your web-posting and other activities else waste time and money cleaning spam's from your valuable personal and company's mailboxes
If u are using email clients to download your mails never open an attachment unless scanned by AV
ever seen any links on spams sayin click here to unsubscribe well if u dint subscribe then how wud u unsubscribe ?!? dont click on any links of the spam mail it just validates ur email address. else get ready for MORE... SPAM
anybody (webmasters) who wishes to display their email address can paste a image of their email address or use tags like [at] instead of @ for posting their mail address to avoid gettin scanned by spambots as they generally search for [ x@y.general extentions ] format to SPAM

How to know if u are spammed ??? well, u will know !!! your junk folder would get 100's of mails your friends will receive spoofed attachments with your mail address, etc etc its just the begining..., wish to handle spam !!!
read this "Handling unwanted e-mail (spam)".

Read more abt spam... ( do's and don'ts )

THIS POST IS DEDICATED TO MY FIRST GMAIL SPAM, LOL :)

GSpam

2004-10-22T15:40:00.000+05:30

Its been ~ 7 months since i started using GMail & Today i got my first spam mail!

believe it "7 Months - Spamfree" just proves how spamfree one can be just by being careful with distribution of their email-address.
so next time instead of cursing spam try to keep ur email-address secure => better way of being spamproof.

Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users

2004-10-22T13:56:00.000+05:30

[from msdn security development center]

Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users

Michael Howard

This article discusses:
Identifying and reducing attack surface
Reducing the amount of code executing by default
Reducing the volume of code accessible to untrusted users
Limiting damage if hackers do attack your code

ode fails. It's a sad fact of life. In the industry, we worry a lot about improving code quality. While code quality is exceptionally important, most code will eventually fail so we cannot focus exclusively on getting the code right. Imagine for a moment your code is perfect. It's only perfect by today's standards—a snapshot of best practices at the time it was developed. Yet the vulnerability research landscape is constantly evolving. Four years ago, integer overflow attacks were almost unheard of; now they are the attack de jour! Imagine broadening the scope to all the code you've ever delivered to customers.

Read the full article Here

Windows Server 2003 Security Guide

2004-10-19T06:28:00.000+05:30

The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. This guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.

Microsoft and Cisco make security pact

2004-10-18T23:35:00.000+05:30

Microsoft and Cisco Systems plan to work more closely together to improve IT security.

The world's largest computer software and networking firms announced, that they will share product information with each other to address the growing threat of malicious software.

The move will help allay previous fears that the two dominant technology firms were taking different approaches to security, potentially leading to interoperability problems when customers tried to integrate systems.

By sharing information the firms hope to achieve product compatibility between Cisco's Network Admissions Control and Microsoft's Network Access Protection, their respective endpoint security software products.

'Security is not an island,' said Cisco chief executive John Chambers. 'By working with Microsoft, Cisco is again demonstrating its commitment to taking every step possible to provide our customers with the industry's best tools and technologies for network security.'

Microsoft chief executive Steve Ballmer added: 'This important alliance with Cisco underscores Microsoft's ongoing commitment to creating a more secure computing environment for customers.'

Links : 1, 2.