December 2006 - Posts
When you scheduled for security review meeting be prepared for the above question. Security guys are concerned of Identity Theft/Spoofing Threat.
My suggestion is to go there prepared with the following question list thus saving lots of [time, money, fights, blames, threats, vulnerabilities, <<fill in your own>>]
How do your end users identify yourself?
- User and Password pairs
- Digital Certificates?
- Other?
How credentials sent over the wire (if any)?
- Clear text?
- Hashed?
- Over protected wire (SSL, IPSEC, etc)?
- Binary encoded?
How does your system authenticate your end users?
IT based
- Windows Integrated
- Digest
- Basic
- PKI
- Custom mechanisms (not the best choice)
How does your application manage credentials that it uses to authenticate itself with downstream servers?
- Hard coded (bad choice…)
- Clear text in config files (not the best one either)
- Encrypted in config files/registry (much better)
- Using process Identity (the best)
- Other?
How do your downstream servers (Web Services, Database, etc) authenticate incoming requests?
IT based
- Windows Integrated
- Digest
- Basic
- PKI
- Custom mechanisms (not the best choice)
- DB specific
How do you manage identities and its credentials?
- IT infrastructure based
- Custom store (not the best one..)
How do you flow identities over physical tiers?
- Infrastructure based (delegation for example, may hurt performance)
- 3rd party Solution
- WS-Security (SAML and co.)
- Custom (not the best choice)
How do you enforce credentials management policies?
- For passwords renewal
- For password complexity
How do you log suspicious authentication process activities?
More useful checklists here
Check out my previous post it has some simple yet solid proof of concept and suggest best practices
Happy New Year!!
If you publish your code on the internet then first They will use Google CodeSearch. For example, try looking for "initial catalog":
http://www.google.com/codesearch?q=%22initial+catalog%22&hl=en
If They are lucky and They have your binaries then Reflector might help looking for juicy hard coded strings but I believe They will chose to get all the strings using simple tool that ships with Windows, FindStr, in conjunction with ILDASM that ships with .Net SDK or Visual Studio
Like this:
Ildasm.exe secureapp.dll /text | findstr ldstr
IL_000c: ldstr "RegisterUser"
IL_0027: ldstr "@userName"
IL_0046: ldstr "@passwordHash"
IL_003e: ldstr "Logon successful: User is authenticated"
IL_0050: ldstr "Invalid username or password"
IL_0001: ldstr "Server=AppServer;database=users; username='sa'; password=password"
How to get protected?
- Do not hard code sensitive information.
- Use windows authentication whenever possible thus avoiding managing credentials.
- Use platform features to protect sensitive information.
Full how-to index here: http://msdn.microsoft.com/library/en-us/dnpag2/html/SecurityHowTosIndex.asp?frame=true
Cheers
Security pro pleads guilty to USC breach
"Security professional Eric McCarty plead guilty in United States District Court in Los Angeles on Tuesday, admitting that he intentionally exploited a flaw in the online student application Web site of the University of Southern California, federal prosecutors said. "
"There is a right way to do penetration testing, and there is a wrong way," Zweiback said. "And Mr. McCarty's way was the wrong way, and hopefully this plea sends that message."
I think it is nonsense. These two should not be put next to the other. To me it is the same like "show me the ROI for car insurance", "show me ROI of military and defense budgeting".
I definitely like the following which is not about ROI rather about keeping the business:
http://www.enterprisestrategygroup.com/ESGPublications/ReportListings.asp?ReportType=briefs
The Security Development Lifecycle (SDL). Advantage, Microsoft
11/3/2006
by Jon Oltsik
When it comes to Microsoft and security, few people ever mention Microsoft’s Security Development Lifecycle (SDL). ESG believes this is an unfortunate omission. The fact is that Microsoft’s commitment to SDL is an area of stealthy security leadership. ESG believes that other ISVs should embrace an SDL model as soon as possible and that enterprise organizations should mandate that technology vendors establish a measurable and transparent SDL process by 2008 or risk losing business.
Just finished two Application Security Awareness workshops for major customer.
The audience is developers and major idea behind the workshop (two halves days) is to emphasize the security fights one need to manage throughout development lifecycle - NOT just before app deployment. So we had some presentations and then practices where we tried to plan our security for imaginary applications - one Internet and the other intranet, then we've done some code inspections looking for vulnerabilities and best practices.
I think it went pretty well - great evals I got back from attendees prove it
Enjoyed a lot.
First They will get some network sniffing tool. I am extremely proud MS recently released shiny new NETMON 3 that can be downloaded for FREE here https://connect.microsoft.com/availableconnections.aspx and the team manages very nice blog here http://blogs.technet.com/netmon/default.aspx that explains in very detailed manner how to capture, filter network traffic and even automate all this.
After studying all this, first thing I believe They try to sniff HTTP traffic applying proper filter:
and looking for juicy information like passwords or business critical information between the frames They've captured:
How to get protected?
Avoid sending sensitive information over the wire. For example when connecting to SQL Server:
Authentication
How To: Use Windows Authentication in ASP.NET 2.0 How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0 Apply network protection mechanisms:
Communications Security
Cheers
http://msdn.microsoft.com/virtuallabs/teamsystem/
Writing Secure Managed Code with Visual Studio Team System
In this lab you will learn to:
- Fundamental design principles for building secure applications
- Technologies such as FxCop and code access security
- To build secure applications using various tools and techniques
Take this lab
It all happens with input that us not properly validated
from: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh04.asp?frame=true#c04618429_006
Input Validation
Input validation is a challenging issue and the primary burden of a solution falls on application developers. However, proper input validation is one of your strongest measures of defense against today's application attacks. Proper input validation is an effective countermeasure that can help prevent XSS, SQL injection, buffer overflows, and other input attacks.
Is not it obviuos some one had to come up with some sort of library that give such functionality?
Here it is:
Microsoft Anti-Cross Site Scripting Library V1.5 is Released!
Tutorial: Microsoft Anti-Cross Site Scripting Library V1.5: Protecting the Contoso Bookmark Page
Validation Application Block: Revealed!
Forget Google Hacking, introducing Live Search Hacking.
First They will Download MSN Search SDK which includes sample app that looks like this:
They will also get the MSN search ID here
Then They will add some more functionality that will enable them to:
1. Directly navigate to the matching URL
2. Directly navigate to the matching URL while injecting, say, single quote - this should generate errors and hopefully expose implementation details that will help them further attack you
3. Do bullet 2 in batch so They can start it before They go to sleep and in the morning They will have all error pages cached for offline investigation
Like this:
How to get protected?
The whole story is here and called Security Engineering
Specifically for our case, input validation and exception handling best practices are your friends at Security Guidelines: ASP.NET 2.0
Cheers
"The SEC charged Grand Logistic S.A., a Belize corporation located in Estonia, and its owner Evgeny Gashichev of Russia, with breaking into victims' computers and using the illicit access to their brokerage accounts to drive up stock prices. Between August 28 and October 13, 2006, the illegal scheme made the company at least $353,609" More here
I believe that the identity theft was possible due to inappropriate identity management or/and authentication schema.
That is why more and more Compliance such as PCI standards gets adopted.
Compliance tells you what to do and Security Engineering tells you how
Cheers
From: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true#pagguidelines0003_strongnames
If you protect your code with a link demand for a StrongNameIdentityPermission to restrict the code that can call your code, be aware that this only works for partial trust callers. The link demand will always succeed for full trust callers, regardless of the strong name of the calling code.
In .NET Framework 2.0, any fully trusted assembly will satisfy any demand, including a link demand for an identity permission that the assembly does not satisfy. In .NET Framework 1.0, this did not happen automatically. However, a fully trusted assembly could simply call Assembly.Load, supplying as evidence the strong name it wants to satisfy, or, alternatively, it could turn code access security off like this:
CODE SecurityManager.SecurityEnabled = false;
or like this:
COMMAND PROMPT caspol –security off
The only protection against fully trusted code is to put it in a separate process and run that process with a restricted token so that its limits are enforced by the operating system. This applies whether code marks its interfaces as internal or private, or places link demands for StrongNameIdentityPermission on them.
The following code sample shows a method decorated with a link demand for a specific StrongNameIdentityPermission.
public sealed class Utility
{
// Although SomeOperation() is a public method, the following
// permission demand means that it can only be called by partial trust
// assemblies with the specified public key OR by any fully trusted code.
[StrongNameIdentityPermission(SecurityAction.LinkDemand,
PublicKey="00240000048...97e85d098615")]
public static void SomeOperation() {}
}
from: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0003.asp?frame=true
· You need to add your assembly to the global assembly cache. If you want your assembly to be shared among multiple applications, then you should add it to the global assembly cache. To add your assembly to the global assembly cache, you need to give it a strong name. Adding an assembly to the global assembly cache ensures that your assembly runs with full trust.
· You want to prevent partial trust callers. The CLR prevents partially trusted code from calling a strong named assembly by adding a link demand for the Full Trust permission set. You can override this behavior by using AllowPartiallyTrustedCallersAttribute (APTCA), although you should do so only if you are fully aware of the issues and after careful code review. For more information, see the section, "APTCA," in this document.
· You want cryptographically strong evidence for security policy evaluation. Strong names provide cryptographically strong evidence for code access security policy evaluation. This allows administrators to grant permissions to specific assemblies. For example, the public key component of a strong name is often used to represent a particular organization. You could create policy that only allows code from designated organizations to run on your computers.
Do Not Expect Strong Names to Make Your Assembly Tamper Proof!!!!
More Posts
Next page »