Beware of wildcard characters MIME mappings in IIS

30 בנובמבר 2006

I found it useful to do some check with IIS when conducting security deployment inspection From http://support.microsoft.com/default.aspx/kb/326965:   SYMPTOMS When you request a file from an IIS 6.0 Web server, and the file has a file name extension that is not a defined MIME type on the Web server, you receive the following error message: HTTP Error 404 - File or directory not found. and then: RESOLUTION... It might look like it is a problem but it is just another countermeasure against possible attacks. IIS 6.0 does not serve unregistered file extensions. With IIS 5.0 files with  unregistered...
אין תגובות

More money for hacker and … security specialists

28 בנובמבר 2006

OK, we see more and more awareness for importance of secure coding. There are even developers that implement Best Practices for secure coding. But here we are - there is new area to dig into - mobile devices. Turns out there will be about 800 millions of workers powerd with mobile devices by 2009. And there are some studies that unveal the gap between the IT folks who understand the risks andthe management that sees only benefits of using such devices. More on that here. More risks, more targets to attack ... and protect
תגיות:
אין תגובות

COMSEC's Application Security Event

Yesterday I had an honor to present MS's vision and offerings regarding Security Development Lifecycle - in MS products and our recommendation for Security Engineering when developing application using MS technologies. COMSEC was hosting the event. We also announced our partnership in this space. We also announced ACE Israel team launch. ACE team is corp based team focused on application security for MS apps such as microsoft.com, msn.com, and hundreds of internal like HR, CRM apps. Recently ACE started providing its services to Microsoft's clients. ACE team provides comprehensive security engineering services around application...
תגיות: ,
אין תגובות

App Architecture with Security in mind – Video, Part II

25 בנובמבר 2006

In my previous post I've showed why it is important to do server side input validation and how easy it is to by pass any client side input validations for web services invocation scenarios. Actually anything that utilizes HTTP is pretty easy to intercept and change on the client - classic Web UI, Web Service, and AJAX. One can use http debugging/proxy tools like fiddler. I show this demo to folks and sometimes I hear "Hey it is not relevant to us - we are using Remoting over TCP channel, we are safe - it is binary...
אין תגובות

Wanna go phishing?

It is nothing to do with fishing rather it is kind of cyber crime that exploits today's technology inability to clearly present to end user the identity of the web site she navigates to. It also relies heavily on human naive nature. Yeah, yeah - the yellow lock in the bottom of the browser and even next to URL . But did you actually clicked it and checked the actual certificate it uses? Did you verify that it's CA is well known trusted authority. Huh?... Consider this. I got one day email that sounded very official from one...
תגיות:
אין תגובות

App Architecture with Security in mind – Video, Part I

24 בנובמבר 2006

Some time ago I was reviewing high level arch spec for really big project. in one place it stated "Input validation checks will be done on the client side for perf reason. Since client part will do the security checks the server part will not performs input validation since it is redundant and may hurt the performance" Huh?.... Watch the video to see what happens when the input is validated on the client only. Double click it to see it in full screen mode. This time it is WinForms client talking to Web Service. Next time it is Remoting client talks to...
אין תגובות

Bad Vista, Bad!!

21 בנובמבר 2006

I was pretty confident with my English knowledge. I think people always seem to understand me and I think I almost always  understood what they wanted from me. This confidence was recently shaken by Seattle times article  "A first look at Vista, good and bad". Can you help me with logic here? I am having hard times to understand why these are bad.   THE BAD Security It's vastly improved, but at times that's going to make the software frustrating to use. It could be especially frustrating shortly after Vista is released, if other software companies haven't updated their applications...
תגיות: ,
אין תגובות