Security

State of the IoT Security

In a recent podcast by Scott Hanselman and Erica Stanley, an Internet of Things (IoT) primer, the guest mentioned how security is being treated as an afterthought for most things IoT. This is unfortunately true in various areas of software development; but especially with the unprecedented growth of IoT, this lax in providing security standards will fast become a safety and security dilemma.

To borrow the variety, velocity and volume analogy of Big Data, IoT is also subject to a very large variety of devices, supporting different velocities (performance capacities) and volumes (large number of devices, meshes etc). Protection of data in these devices and providing privacy of is definitely the key challenges in the IoT. It is also bad for business since lax security measures will cause decreased adoption impacting the success of the IoT and hinder overall development.

Following are some of the relevant links and papers which provide overview, analysis and taxonomy of security and privacy challenges in IoT.

 

References and Further Reading

Share

Norse - IPViking Live - honeypots for visualization

Systems and methods for dynamic protection from electronic attacks - US Patent 8726379 B1

Systems and methods for gathering, classifying, and evaluating real time security intelligence data concerning security threats presented by an IP address, and reporting in real time the degree and character of such security threats.

Attacks

Share

Penetration Testing techniques in Web Applications - Infographic

Penetration Testing techniques in web applications by Dimitris Mandilaras, Nikolaos Tsalis is an succinct info-graphic review of different security frameworks / methodologies including OWASP, PTES, ISSAF, NIST, OSSTM and PTF.

A short poster can be downloaded from here.

 

Share

Selection of 2014 F# / Functional Programming Resources

Share

Excellent list of Cyber Security Resources

Top 100+ Cyber Security Blogs & Infosec Resources - Excellent List by DDOS Protection

 

top-cyber-security-blogs

Share

Resolution for the group's SID could not be resolved Error

I have recently encountered the following error when enumerating through the UserPrincipal.GetAuthorizationGroups collection.

System.DirectoryServices.AccountManagement.PrincipalOperationException: An error (1301) occurred while enumerating the groups.  The group's SID could not be resolved.

The problem was introduction of the domain controller running Server 2012 while the machine running my application was win7 VM (applies to Win2K8 as well)

7536.errorMessage3

With little googling, it appears that for the Windows 7 VM with introduction of 2012 domain controller, this SID error appears to be a known issue. When a 2012 domain controller is involved, the GetAuthorizationGroups() function would fail on groups (SIDs) that are added to a user by default.

Installing KB2830145 fixed my problem.

References

 

Share

Poodle & Sandworm

In lieu of recently passed National Cyber Security Awareness Month, a shout out to CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. Yeah, 2012 too.

and here is to poodle.

POODLE: This dog bites – An infographic by the team at Pluralsight

Share

Hacktivity - Software Threat Modeling by Shakeel Tufail

Threat modeling and diversion tactics; a good high level overview on software security.

There are only a handful of threat modeling approaches in the industry which are difficult to implement due to the subjective guidelines. Our training session will focus on best practices and a hands-on approach that will provide attendees a better understanding of how to conduct threat modeling in their organization. Most threat models focus on attackers, we will look at the threat model using trust zones, identifying assets, indirect threats, and ambiguity analysis. We will also speak about secure design concepts and best practices for securing software architecture.

Learning Objectives: At the end of this workshop, participants will be able to:

  • Understand the basics of threat modeling software applications
  • Understand the meaning of threats, attack vectors, and trust zones
  • Learn about ambiguity analysis
  • Learn about secure design concepts
  • Learn best practices for securing software architect
Share

Notes from my LA C# User Group Talk

I spoke to LA C# User group last night in Pasadena on the topic of Web Application Security with OWASP.

The slide deck of my talk can be downloaded from here. LA C# OWASP Presentation

Links from the talk follow.

Share

Web/Services Security Talk @ San Diego.NET User Group

Andrew Karcher, SQL Server MVP invited me to speak to San Diego .NET user group this Tuesday. The topic of my talk was Secure Code Top 10 (OWASP) for Service Oriented Architectures and the presentation slides can be downloaded from here. Links from the talk follow.

Web Service Security Cheat Sheet

https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet

OWASP web Goat.NET

https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET

WCF Security Fundamentals

http://msdn.microsoft.com/en-us/library/ff650862.aspx

WebGoat.NET Github (Web Forms)

https://github.com/jerryhoff/WebGoat.NET

WebGoat.NET Github (MVC)

https://github.com/kahanu/webgoat.mvc

Nonce

http://en.wikipedia.org/wiki/Cryptographic_nonce

OWASP

https://www.owasp.org/index.php/Main_Page

C is for cookie, H is for hacker – understanding HTTP only and Secure cookies

http://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html

Advance SQL Injection - Havij

http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/

OWASP Top 10 for .NET

http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html

Samy Worm

http://en.wikipedia.org/wiki/Samy_(computer_worm)

HTML encoding in ASP.NET / MVC

http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

HTMLEncodig in Razor

http://stackoverflow.com/questions/4973504/turn-off-html-encoding-in-razor

How Hackers Stole 200,000+ Citi Accounts Just By Changing Numbers In The URL

http://consumerist.com/2011/06/14/how-hackers-stole-200000-citi-accounts-by-exploiting-basic-browser-vulnerability/

6.5 Million Encrypted LinkedIn Passwords Leaked Online

http://www.tomsguide.com/us/LinkedIN-Calendar-iOS-Hack-passwords,news-15464.html

StuxNet

http://en.wikipedia.org/wiki/Stuxnet

Flame

http://en.wikipedia.org/wiki/Flame_(malware)

Rainbow Tables

http://en.wikipedia.org/wiki/Rainbow_table

Preventing Cross-Site Request Forgery (CSRF) Attacks

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

Happy Coding!

 

Share
Go to Top