In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.
and here is to poodle.
POODLE: This dog bites – An infographic by the team at Pluralsight
Threat modeling and diversion tactics; a good high level overview on software security.
There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.
Learning Objectives: At the end of this workshop, participants will be able to:
- Understand the basics of threat modeling software applications
- Understand the meaning of threats, attack vectors, and trust zones
- Learn about ambiguity analysis
- Learn about secure design concepts
- Learn best practices for securing software architect
I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.
The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation
Links from the talk follow.
- Open Web Application Security Project
- IIS Lockdown tool
- Configuring SSL on IIS7
- Disabling the directory browing
- Preventing Cross-Site Request Forgery (CSRF) Attacks
- How to prevent Cross site scripting XSS using MVC 3
- CSRF Vulnerability in Twitter Allowed Hackers to Read DMs, Post Tweets
- U.S. Says Ring Stole 160 Million Credit Card Numbers
- DDoS and SQL injection are the most popular attack subjects
- FireHost Detects Surge in SQL Injection for Q3 2013 with Cross-Site Scripting Also Rising
- SQL Injection Blamed for New Breach
- Millions of LinkedIn passwords reportedly leaked online
- How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL
Andrew Karcher, SQL Server MVP invited me to speak to San Diego .NET user group this Tuesday. The topic of my talk was Secure Code Top 10 (OWASP) for Service Oriented Architectures and the presentation slides can be downloaded from here. Links from the talk follow.
Web Service Security Cheat Sheet
OWASP web Goat.NET
WCF Security Fundamentals
WebGoat.NET Github (Web Forms)
WebGoat.NET Github (MVC)
C is for cookie, H is for hacker – understanding HTTP only and Secure cookies
Advance SQL Injection - Havij
OWASP Top 10 for .NET
HTML encoding in ASP.NET / MVC
HTMLEncodig in Razor
How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL
6.5 Million Encrypted LinkedIn Passwords Leaked Online
Preventing Cross-Site Request Forgery (CSRF) Attacks
OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks. A new list for 2013 has been published.
OWASP top 10 list was last updated in 2010; in this update the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been reduced while risks related to broken session management and authentication have been prioritized higher.
Injection attacks (Code injection, SQL Injection etc) which was the topmost risk in 2010, has still retained its position in the new list. According to OWASP, The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors.
I had to dig these up in the context of a conversation around the (in)security of currency regimes such as BitCoin where presumed ownership of currency is built solely upon asymmetric cryptography. You may find some of these links to be of interest as well.
Textbook RSA is insecure
and other interesting observations...
Invasive sideband attack.
Exploring Distributed in DDoS - Social Engineering aspects of an 'Anonymous' style DDoS attack
Recorded 24 April 2013.
With the proliferation of social media and mobile devices to masses, protecting against distributed denial of service attacks has become an arduous technical challenge. Even though we expect much more sophistication, research reports show that majority of anonymous style hacktivist attacks originate from distributed denial of service. During analysis of the largest-known hacker forums with roughly 250,000 members, impervia's hacker intelligence report states that social networks today pose a major interest for hackers. In this talk we discuss the technical challenges and potential remediation of such denial of service attacks. The presentation will elaborate on key tenets of defense in depth, web application security and do's and outline potential threats for financial application domain.
The Cultural Knowledge Consortium (CKC) is a joint and inter-agency effort established to provide a Socio-cultural Knowledge Infrastructure (SKI) to help provide access and connect multi-disciplinary, worldwide, social science expertise and support collaborative engagement efforts in support of Combatant Command (COCOM) socio-cultural analysis requirements. CKC supports and complements the alignment and synchronization of DoD analytical efforts, operational information requirements, and training programs
Hacking Web Apps - Detecting and Preventing Web Application Security Problems - by Mike Shema is a contemporary guide on web application security. Mike's labor of love, as he likes to call this book, contains very relevant and distilled information on modern day web application attacks. The book is different from your garden variety web-application-top-n-style verbose texts with template vulnerabilities and hello-world solutions; Hacking web apps is a book with strong personality which shows in the eight chapters covering diverse topics from HTML5 security, XSS, CSRF, platform weaknesses to browser and privacy attacks.
Starting with HTML5, author discussed security issues surrounding "new" DOM, CORS, web sockets, web storage, web workers in a concise and concrete manner. This first chapter, however brief, makes this book quite unique since very few books in my knowledge have dealt with security issues pertaining to HTML5. The book provides a nice knowledge upgrade to exploits and vulnerabilities when it comes to web 2.0 technologies. Packed with tips, epic failures and notes providing security anecdotes from the real-world, this text keeps you involved and entertained throughout. Going beyond usual CWE-SANS/OWASP top x vulnerabilities, author elaborates on design issues and draw parallels on how to apply these issues to other similar problems. The text tends to be language agnostic and code samples are in multiple languages (python, php etc) but I do miss the examples with specifics of libraries such as AntiForgeryToken in ASP.NET MVC.
Since I have not read any of Mike's previous books, I cannot comment on how much is shared between his writings but for any web and server side developer interested in security, I'd highly recommend reading this book.
Slides from 11th Annual SecureIT conference- “OWASP Web Services Security - Securing your Service Oriented Architecture”
I recently spoke to 11th SecureIT conference on "OWASP Web Services Security - Securing your Service Oriented Architecture". This annual event was hosted by UC San Bernardino at Sheraton Fairplex Hotel.
This SecureIT Conference conference provides focus and opportunities to higher education staff meeting the challenges of providing a secure information technology environment for campus communities. The event was well attended with distinguished speakers, including Pradeep Khosla, UC San Diego’s chancellor, Michael Montecillo, IBM Security Services Threat Research and Intelligence Principal and Eric Skinner, VP of Mobile Security for Trend Micro.
The slides of my presentation can be found below.
I am confirmed to speak to SecureIT 2013 Conference with OWASP Los Angeles chapter leader, Tin Zaw. Following is the abstract from my talk.
Abstract: Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session the presenters will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.
This talk is focused on WCF security features with code demonstration to use behaviors and bindings to configure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.
Targeted towards solution architects and developers, this talk will provide you architectural guidance regarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.
Adnan Masood, MS. MCSD.
Senior Software Architect at Greendot Corp., Chapter Leader and President Pasadena.NET Developers Group
Tin Zaw, CISSP, CSSLP
Chapter Leader and President OWSAP- LA