Tuesday, September 29, 2009

New Microsoft Security Essentials

Microsoft has announced the launch of the free anti-malware Security Essentials. It uses the Dynamic Signature Service, a Microsoft technology that ensures users are protected by the most current virus definitions available without having to wait for the next scheduled download. In addition, it is designed to run quietly in the background and limits CPU and memory usage. Unfortunatly, it is a still in beta and available to customers in the United States, Israel, China and Brazil only.
Although I think that the age of the "Signature Based" security is over and the furure lays with concepts such as profiling (AppArmor), labeling (SELinux and Solaris Trusted Extensions) and Mandatory Access Control, that is a still welcomed edition to the information security domain.

Thursday, September 17, 2009

Security Development Lifecycle Tools from Microsoft

Microsoft has released two additional tools to supplement secure development life cycle (SDLC) tools portfolio which includes well known AntiXSS, FxCop and Cat.NET.
The BinScope Binary Analyzer is a Microsoft verification tool that analyzes binaries to verify that required compiler/linker flags are being set, strong-named assemblies are in use, and up-to-date build tools are in place.
MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected application behaviors.
Both tools (and others) are available to download for free from the Microsoft Security Development Life cycle Tools Repository.

Tuesday, September 15, 2009

How we protect you... Yeah, how?

Seriously, I don't get it. It is 2009, the network firewalls have been here fore more that twenty years and people (information security professionals, no more no less!) still make those amateur assumptions that they will solve all their security problems.
I've been reading HSBC's "Security guarantee" on their website (http://www.offshore.hsbc.com/1/2/international/internet-banking/how-we-protect-you) which states that they use the most advanced security systems and software to protect customer accounts including:
  • Combination of user name and password
  • Encryption (that would be https)
  • Network firewalls
  • SSL certificate (that still would be https)
Now that is secure, is not it? Well, no… Since application has access to the database, a skilled hacker would use encryption to bypass network firewalls (since firewall can not inspect the encrypted traffic) and user name/password fields could be used perform phishing, Cross Site Scripting (XSS) and SQL injections (diagram above).
In a year 2009, application security should be on the CISO agenda and network firewalls should be left to network administrators. Web applications should be protected by Web Application Firewalls (WAF), by constantly reviewing the source code to detect vulnerabilities and by training software architects and developers.

Tuesday, September 8, 2009

Flash Cookies - Yammy!

For some reason, everybody talks about flash cookies! But those are not much different to a traditional browser cookies we all know and love (to hate). The differences are that they are not controlled through a standard "privacy" setting of Internet browsers and they are less known (sadly, even to a Information Security specialists).
So where do you find those nasties and what to do about them?
To find these flash cookies all you have to do is to look for .sol extension in the following directories:
  • Windows: Within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
  • Mac OS X: ~/Library/Preferences/Macromedia/FlashPlayer.
  • GNU-Linux: ~/.macromedia
There are number of alternatives to treat the problem:
  • Browser extensions (I know of Better Privacy extension for Firefox)
  • Schedule a task (using Task Scheduler for Windows or Cron job on Unix/Linux) to remove .sol files
  • Set access control permission on the relevant directory to be read only
And there is legal twist to this story as well. Apparently, usage of Flash cookies is illegal in UK according to Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003.: "Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
* is given the opportunity to refuse the storage of, or access to, that information."

Thursday, September 3, 2009

AntiXSS v3.0

For years, (security aware) software developers were using OWASP ESAPI (Enterprise Security API) as a security framework to validate input/output to prevent Cross Site Scripting (XSS). Although it supports Java, Python, PHP and .NET among the others, only Java toolkit is mature enough to be used by the enterprises in production environment.
Now .NET users have Microsoft Anti-Cross Site Scripting Library to help protect applications from XSS attacks. In addition, enterprises may find Security Runtime Engine very useful since it has the ability to protect legacy applications from XSS attacks without having to change too much code.