Slides from Bret’s lightning talk can be downloaded here.

NoSQL for the SQL Server DBA

I have attended cloudcamps organized by Dave Nielsen in the past but this particular event wasn’t as organized as the one at Microsoft campus couple of years ago (and through no fault of his own). Dave is a Co-Founder of CloudCamp and author of the book PayPal Hacks. The event started late and hence the unconference style sessions and panels were cut short and disrupted. Lots of echo so it was hard to hear and topics which came out of un-conference discussion weren’t quite diverse and well organized even for an unconference. However, the data center tour was fun!

and a much nicer write-up by morphlaps on CloudCamp LA – Why Open Source (and OpenStack) Matters To the Enterprise

I get to meet Jason Woloz who is heading up the Cloud security alliance LA chapter. The first meetup is coming soon. http://www.meetup.com/LASC-CSA/

References:

• New 1-day Class ‘NoSQL for the SQL Server Pro’ - Lynn Langit
• Bruno Terkaly on CQRS
• Cloud Security Alliance
• Greg Young on what CQRS is and isn’t
• Martin Fowler’s overview of CQRS
• Udi Dahan’s CQRS clarification

The focus of the panel is upon Recruitment and communication i.e. how Anonymous leverages social networks to recruit its members and pick a target, application attack i.e sequence the steps Anonymous hackers deploy to take data and bring down websites, DDoS i.e. the DDoS techniques deployed to take down websites and finally the key mitigation steps that organizations need to take if they ever become a target.

Location:

Four Points by Sheraton Los Angeles
5990 Green Valley Cir
Culver City, CA 90230
(310) 641-7740
RSVP at http://www.meetup.com/OWASP-Los-Angeles/

Brief introductions to threat families ranging from Win32/Nimda to Win32/Bagle, Win32/Conficker, JS/Pornpop(of specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements) and Win32/OpenCandy are provided. This report makes a good executive summary of software threats and trends they follow. It can be downloaded from here.

• OWASP Top 10 Presentation
• AppSec Tutorial Videos
• OWASP Cheat Sheets
• ASP.NET MVC Best Practices
• Microsoft Partners in Learning
• OWASP 2010 Top 10 Cheat Sheet
• Free eBook: OWASP Top 10 for .NET developers
• Troy Hunt (MVP) OWASP Related posts
• Anti-Forgery Request Recipes For ASP.NET MVC And AJAX
• Microsoft Security Development Lifecycle
• Authorize Attribute
• OWASP Webgoat Project
• Keep your .config clean with external config files
• jQuery Ajax calls and the Html.AntiForgeryToken()
• Does ASP.NET Viewstate implicitly prevent CSRF attacks? What does this mean for MVC?
• Protecting against CSRF attacks in ASP.Net MVC
• Anatomy of a Cross-site Request Forgery Attack
• webgoat.mvc (kahanu fork - complete)
• Step by Step improvement in Guarding against CSRF in MVC

Happy Secure Coding!

Here is the abstract.

Practical Web Application Security and OWASP Top 10 implementation on Microsoft Platform

Presenters: Adnan Masood, Tin Zaw

This session is a hands-on introduction to the web application security threats using the OWASP top 10 list of potential security flaws. The OWASP Top Ten provides a powerful awareness list for web application security and represents a broad consensus about what the most critical web application security flaws are.

Focusing on Microsoft platform with examples in ASP.NETand ASP.NETMVC, we will go over some of the common exploits and techniques for writing secure code in the light of OWASP top 10. In this code centric talk, we will discuss built in security features ofASP.NET and MVC such as cross site request forgery token and secure cookies and how to leverage them to write secure code. The OWASP Top 10 Web Application Security Risks for 2010 which will be covered in this presentation include Injection flaws, Cross-Site Scripting (XSS), Broken Authentication and Session Management, Insecure Direct Object References, Cross-Site Request Forgery (CSRF),Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Insufficient Transport Layer Protection and Unvalidated Redirects and Forwards.

Online registration is open till September 3. We have 5 keynote speakers, 2 panel discussions, 6 training classes and 20 plus high quality presentations.

Website: http://www.appsecUSA.org
URL to register is http://appsecUSA.org/reg
Agenda: http://www.appsecUSA.org/agenda

Volunteer opportunities

1. If your development machine is XP (or 2K3 server) and you need dev SSL cert installed on it, follow the instructions mentioned in the articles here. The SelfSSL makes it real easy to do self signed certificates, literally one statement.

Setting up SSL with a SelfSSL certificate on Windows Server 2003 (and XP)

Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL

2. Create a WCF Service Project. Name the service and contracts appropriately. In my sample it is a simple contract like follows.

   [ServiceContract]
    public interface IWcfService
    {
        [OperationContract]
        string GetData(int value);
    }

Make sure you make the appropriate config changes matching with your service contract.

2. Add a custom validator class in your service. You can create a separate file for it. In this example I have added it to the main service file WcfService.svc.cs. You are going to need to add the reference (not just adding these lines at the top, go to add-reference and add the corresponding dll’s to the project)

using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;

and the custom validator code.

public class CustomValidator : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (userName == "test" && password == "test")
                return;
            throw new SecurityTokenException(
                "Unknown Username or Password");
        }
    }

You probably want to make this user name and password moved to a more secure location or point to your database/authentication store for security and maintainability perspective.

3. Now the code part is done. Move to config file. Enable custom errors so you know details about the errors happening.

<customErrors mode=”Off” defaultRedirect=”GenericErrorPage.htm”>

4. Add a new bindings attribute in the config called SafeServiceConf which will specify the TransportWithMessageCredential type of security. You can add this right before </system.serviceModel>

<bindings>
<wsHttpBinding>
<binding name="SafeServiceConf" maxReceivedMessageSize="65536">
<readerQuotas maxStringContentLength="65536" maxArrayLength="65536"
maxBytesPerRead="65536" />
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<bindings>       <wsHttpBinding>          <binding name="SafeServiceConf" maxReceivedMessageSize="65536">             <readerQuotas maxStringContentLength="65536" maxArrayLength="65536"                maxBytesPerRead="65536" />             <security mode="TransportWithMessageCredential">                <message clientCredentialType="UserName" />             </security>          </binding>       </wsHttpBinding>    </bindings>

5. Modify your end point address to refer to this binding configuration

			<endpoint address="" binding="wsHttpBinding" contract="MySamples.IWcfService" bindingConfiguration="SafeServiceConf">

also modify your metadata exchange endpoint to use mexHttpsBinding

				<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>

6. Modify your service behavior to look like this

				<behavior name="WcfService.Service1Behavior">
					<serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <userNameAuthentication
                 userNamePasswordValidationMode="Custom"
                 customUserNamePasswordValidatorType="MySamples.CustomValidator,WcfService"
                                                                          />

          </serviceCredentials>
        </behavior>

It’s recommended that “Include exception in faults” should be disabled when moved to production.

7. Now you are almost ready to run the service however before you do this, make sure that you are running it in the IIS AND you have the SSL enabled on the server as specified in step 1 otherwise you’ll run into WCF error stating that there is no HTTPS endpoint available.

Setup Virtual Directory in IIS from Visual Studio

You should be able to run and see the service end point as follows.

Running WCF Service over SSL

Running WCF Service over SSL 2

8. Now that the service is done, let’s move towards building the client. Add the service reference to the service end point. You can do it either via entering the entire URL or using the discover feature.

Add WCF Reference

9. Name your reference “Client” or modify your code appropriately. Following is the code for client implementation.

       private static void Main(string[] args)
        {
           ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(
                delegate { return true; });

            var client = new WcfServiceClient();
            GetCredentials();
            client.ClientCredentials.UserName.UserName = username;
            client.ClientCredentials.UserName.Password = password;
            Console.Write(client.GetData(1));
            client.Close();
            Console.Read();
        }

The RemoteCertificateValidationCallback part is used to programatically avoid the following warning which would popup due to self signed cert usage.

Self signed Certificate Warning

10. Now run the program.

Running WCF client

You can see that for the right credentials, service will run just fine. Otherwise a security exception will be thrown.

Source code can be downloaded from here.WCFAuthSample

Feel free to drop me an email or comment here if you have any questions.

References and Further Readings:

How to: Authenticate with a User Name and Password

WCF Service over HTTPS with custom username and password validator in IIS

Chapter 5 – Authentication, Authorization and Identities in WCF

How to: Use Transport Security and Message Credentials

SecurityMode Enumeration

WCF: Could not establish trust relationship for the SSL/TLS secure channel with authority

Deploying an Internet Information Services-Hosted WCF Service

How messages are encrypted when security mode is “Message”?

Simple WCF – X509 Certificate

Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)

Setting up SSL with a SelfSSL certificate on Windows Server 2003 (and XP)

Create a self-signed SSL certificate with IIS 6.0 Resource Kit SelfSSL

The OWASP Top 10 Web Application Security Risks for 2010 are:

• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards

Click here to download the OWASP Top 10 – 2010

OWASP’s list have been changed since 2004 in terms of priorities; XSS and inject flaws are on the rise. Details can be found on OWASP’s website.

OWASP .NET Projects
http://www.owasp.org/index.php/Category:OWASP_.NET_Project

References and Papers on Financial Data Mining

• Mine Your Way to Combat Money Laundering
• OFAC SDN List www.ustreas.gov/offices/enforcement/ofac/sdn/
• FinCen www.fincen.gov/
• FATF www.fatf-gafi.org/
• Suspicious Activity Report
• Keys to a Well Prepared Suspicious Activity Report
• A framework for data mining-based anti-money laundering research
• Profiling Behavior: The social construction of categories in the detection of financial crime; dissertation by Ana Canhoto
• Towards a Proactive Fraud Management Framework for Financial Data Streams
• T. Senator. “The financial crimes enforcement network AI system (FAIS).” AI Magazine 4, 1995.
• M. Sparrow. “The State of the Fraud Control Game; and the Impact of Electronic Claims Processing on Fraud and Fraud Control.” Proceedings of the International Symposium on Criminal Justice Information Systems and Technology, 1994.
• U.S. Congress, Office of Technology Assessment (OTA). “Information Technologies for Control of Money Laundering.” OTA-ITC-630. Washington, DC: U.S. Government Printing Office, September 1995.
• Zdanowicz, J.S. (2004), “Detecting money laundering and terrorist financing via data mining”, Communications of the ACM, Vol. 47 No.5
• Watkins, R.C., Reynolds, K.M., Demara, R., Georgiopoulos, M., Gonzalez, A., Eaglin, R. (2003), “Tracking dirty proceeds: exploring data mining technologies as tools to investigate money laundering”, Police Practice and Research, Vol. 4 No.2, pp.163-78.
• Vikram, A., Chennuru, S., Rao, H.R., Upadhyaya, S. (2004), “A solution architecture for financial institutions to handle illegal activities: a neural networks approach”, Proceedings of the 37th Hawaii International Conference on System Sciences-2004
• Zhang, Z., Salerno, J.J., Yu, P.S. (2003), “Applying data mining in investigating money laundering crimes”, paper presented at SIGKDD’03, Washington, DC, pp.747-52.
• Senator, T.E., Goldberg, H.G., Wooton, J. (1995), “The financial crimes enforcement network AI system (FAIS): identifying potential money laundering from reports of large cash transactions”, AI Magazine, Vol. 16 No.4, pp.21-39.
• Tang, J., Yin, J. (2005), “Developing an intelligent data discriminating system of antimony laundering based on SVM”, Proceedings of the Fourth International Conference on Machine Learning and Cybernetics. Guangzhou, pp.3453-7.
• Kingdon, J. (2004), “AI fights money laundering”, IEEE Intelligent Systems, Vol. 5/6 pp.87
• Goldberg, H.G., Wong, R.W.H. (1998), “Restructuring transactional data for link analysis in the FinCEN AI System”, Proceedings of 1998 AAAI Fall Symposium on Artificial Intelligence and Link Analysis, AAAI Press, Menlo Park, CA, .
• Fawcett, T., Provost, F. (1997), “Adaptive fraud detection”, Data Mining and Knowledge Discovery, Vol. 1 No.3, pp.291-316.