Security

Poodle & Sandworm

0

In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.

and here is to poodle.

POODLE: This dog bites – An infographic by the team at Pluralsight

Share

Hacktivity - Software Threat Modeling by Shakeel Tufail

Threat modeling and diversion tactics; a good high level overview on software security.

There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.

Learning Objectives: At the end of this workshop, participants will be able to:

  • Understand the basics of threat modeling software applications
  • Understand the meaning of threats, attack vectors, and trust zones
  • Learn about ambiguity analysis
  • Learn about secure design concepts
  • Learn best practices for securing software architect
Share

Notes from my LA C# User Group Talk

I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.

The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation

Links from the talk follow.

Share

Web/Services Security Talk @ San Diego.NET User Group

Andrew Karcher, SQL Server MVP invited me to speak to San Diego .NET user group this Tuesday. The topic of my talk was Secure Code Top 10 (OWASP) for Service Oriented Architectures and the presentation slides can be downloaded from here. Links from the talk follow.

Web Service Security Cheat Sheet

https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet

OWASP web Goat.NET

https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET

WCF Security Fundamentals

http://msdn.microsoft.com/en-us/library/ff650862.aspx

WebGoat.NET Github (Web Forms)

https://github.com/jerryhoff/WebGoat.NET

WebGoat.NET Github (MVC)

https://github.com/kahanu/webgoat.mvc

Nonce

http://en.wikipedia.org/wiki/Cryptographic_nonce

OWASP

https://www.owasp.org/index.php/Main_Page

C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

Advance SQL Injection - Havij

http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/

OWASP Top 10 for .NET

http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Samy Worm

http://en.wikipedia.org/wiki/Samy_(computer_worm)

HTML encoding in ASP.NET / MVC

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

HTMLEncodig in Razor

http://stackoverflow.com/questions/4973504/turn-off-html-encoding-in-razor

How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL

http://consumerist.com/2011/06/14/how-hackers-stole-200000-citi-accounts-by-exploiting-basic-browser-vulnerability/

6.5 Million Encrypted LinkedIn Passwords Leaked Online

http://www.tomsguide.com/us/LinkedIN-Calendar-iOS-Hack-passwords,news-15464.html

StuxNet

http://en.wikipedia.org/wiki/Stuxnet

Flame

http://en.wikipedia.org/wiki/Flame_(malware)

Rainbow Tables

http://en.wikipedia.org/wiki/Rainbow_table

Preventing Cross-Site Request Forgery (CSRF) Attacks

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

Happy Coding!

 

Share

OWASP Top 10 List of 2013 Released

OWASP's Top 10, the Open Web Application Security Project's top 10 most critical web application security risks. A new list for 2013 has been published.

OWASP top 10 list was last updated in 2010; in this update the importance of cross-site scripting (XSS) and cross-site request forgery (CRSF) has been reduced while risks related to broken session management and authentication have been prioritized higher.

Injection attacks (Code injection, SQL Injection etc) which was the topmost risk in 2010, has still retained its position in the new list. According to OWASP, The 2013 Top Ten list (PDF) has been compiled based on half a million vulnerabilities discovered in thousands of applications from hundreds of vendors.

OWASP Top 10 - 2013

Share

On Entropy Depletion & Related Links

I had to dig these up in the context of a conversation around the (in)security of currency regimes such as BitCoin where presumed ownership of currency is built solely upon asymmetric cryptography. You may find some of these links to be of interest as well.

Textbook RSA is insecure
   and other interesting observations...

http://crypto.stanford.edu/~dabo/courses/cs255_winter00/RSA.pdf

Hardware Security for FPGAs using Cryptography
   contains a great overview of different kinds of sideband attacks on cryptography
https://www.escrypt.com/fileadmin/escrypt/pdf/Hardware_Security_for_FPGAs_using_Cryptography_Microsemi_Huettemann.pdf
Acoustic cryptanalysis: on nosy people and noisy machines
   seeing through The Matrix isn't really that hard if you know how to look at it
Disk encryption may not be secure enough 
   ye olde standard cold boot attack
On Entropy Depletion
   Running out of randomness can hurt, bigtime.
http://www.educatedguesswork.org/2008/10/on_entropy_depletion.html
Researchers Crack RSA Encryption Via Power Supply
   Invasive sideband attack.  
Blue Pill - Machine Virtualization for Fun, Profit, and Security
   Virtualization attacks.  Epic turtles.  
via David Lazar.
Share

Presentation on Exploring 'Distributed' in DDoS

Exploring Distributed in DDoS - Social Engineering aspects of an 'Anonymous' style DDoS attack
Recorded 24 April 2013.

Abstract:

With the proliferation of social media and mobile devices to masses, protecting against distributed denial of service attacks has become an arduous technical challenge. Even though we expect much more sophistication, research reports show that majority of anonymous style hacktivist attacks originate from distributed denial of service. During analysis of the largest-known hacker forums with roughly 250,000 members, impervia's hacker intelligence report states that social networks today pose a major interest for hackers. In this talk we discuss the technical challenges and potential remediation of such denial of service attacks. The presentation will elaborate on key tenets of defense in depth, web application security and do's and outline potential threats for financial application domain.

The Cultural Knowledge Consortium (CKC) is a joint and inter-agency effort established to provide a Socio-cultural Knowledge Infrastructure (SKI) to help provide access and connect multi-disciplinary, worldwide, social science expertise and support collaborative engagement efforts in support of Combatant Command (COCOM) socio-cultural analysis requirements. CKC supports and complements the alignment and synchronization of DoD analytical efforts, operational information requirements, and training programs

Share

Hacking Web Apps - Book Review

Hacking Web Apps - Detecting and Preventing Web Application Security Problems - by Mike Shema is a contemporary guide on web application security. Mike's labor of love, as he likes to call this book, contains very relevant and distilled information on modern day web application attacks. The book is different from your garden variety web-application-top-n-style verbose texts with template vulnerabilities and hello-world solutions; Hacking web apps is a book with strong personality which shows in the eight chapters covering diverse topics from HTML5 security, XSS, CSRF, platform weaknesses to browser and privacy attacks.

hacking-web-apps-detecting-and-preventing-web-application-security-problems

 

Starting with HTML5, author discussed security issues surrounding "new" DOM, CORS, web sockets, web storage, web workers in a concise and concrete manner. This first chapter, however brief, makes this book quite unique since very few books in my knowledge have dealt with security issues pertaining to HTML5. The book provides a nice knowledge upgrade to exploits and vulnerabilities when it comes to web 2.0 technologies. Packed with tips, epic failures and notes providing security anecdotes from the real-world, this text keeps you involved and entertained throughout. Going beyond usual CWE-SANS/OWASP top x vulnerabilities, author elaborates on design issues and draw parallels on how to apply these issues to other similar problems. The text tends to be language agnostic and code samples are in multiple languages (python, php etc) but I do miss the examples with specifics of libraries such as AntiForgeryToken in ASP.NET MVC.

Since I have not read any of Mike's previous books, I cannot comment on how much is shared between his writings but for any web and server side developer interested in security, I'd highly recommend reading this book.

Share

Slides from 11th Annual SecureIT conference- “OWASP Web Services Security - Securing your Service Oriented Architecture”

I recently spoke to 11th SecureIT conference on "OWASP Web Services Security - Securing your Service Oriented Architecture". This annual event was hosted by UC San Bernardino at Sheraton Fairplex Hotel.

This SecureIT Conference conference provides focus and opportunities to higher education staff meeting the challenges of providing a secure information technology environment for campus communities. The event was well attended with distinguished speakers, including Pradeep Khosla, UC San Diego’s chancellor, Michael Montecillo, IBM Security Services Threat Research and Intelligence Principal and Eric Skinner, VP of Mobile Security for Trend Micro.

The slides of my presentation can be found below.

Share

SecureIT 2013 - OWASP Web Services Security- Securing Your Service Oriented Architecture

I am confirmed to speak to SecureIT 2013 Conference with OWASP Los Angeles chapter leader, Tin Zaw. Following is the abstract from my talk.

Abstract: Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Microsoft Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework. In this session the presenters will discuss the WCF security features related to auditing and logging, authentication, authorization, confidentiality, and integrity.

This talk is focused on WCF security features with code demonstration to use behaviors and bindings to configure security for your WCF service. Bindings and behaviors allow you to configure transfer security, authentication, authorization, impersonation, and delegation as well as auditing and logging. This presentation will help you understand basic security-related concepts in WCF, what bindings and behaviors are and how they are used in WCF, authorization and roles in the context of WCF, impersonation and delegation in the context of WCF and what options are available for auditing in WCF.

Targeted towards solution architects and developers, this talk will provide you architectural guidance regarding authentication, authorization, and communication design for your WCF services, solution patterns for common distributed application scenarios using WCF and principles, patterns, and practices for improving key security aspects in services.

 

Presenters

Adnan Masood, MS. MCSD.

Senior Software Architect at Greendot Corp., Chapter Leader and President Pasadena.NET Developers Group

Tin Zaw, CISSP, CSSLP

Chapter Leader and President OWSAP- LA

Share
Go to Top