Wednesday, December 24, 2008

Enabling SSL in IIS

How to Configure Certificates to Enable SSL in IIS?

Use SSL in IIS to protect the communication channel between your WCF enabled web application and the web client. SSL protects sensitive data on the network from being stolen or modified.

The following are the steps to configure certificates for Secure Sockets Layer (SSL) communication in IIS.

1. Click Start and then click Run.
2. In the Run dialog box, type inetmgr and then click OK.
3. In the Internet Information Services (IIS) Manager dialog box, expand the (local computer) node, and then expand the Web Sites node.
4. Right-click Default Web Site and then click Properties.
5. In the Default Web Site Properties dialog box, click the Directory Security tab, and then in the Secure Communications section, click Server Certificate.
6. On the Welcome screen of the Web Server Certificate Wizard, click Next to continue.
7. On the Server Certificate screen, select the Assign an existing certificate radio button option, and then click Next.
8. On the Available Certificates screen, select the certificate you created and installed in previous step, and then click Next.
9. Verify the information on the certificate summary screen, and then click Next.
10. Click Finish to complete the certificate installation.
11. In the Default Web Site Properties dialog box, click OK.

Monday, December 22, 2008

Creating Temporary X.509 Certificates

How to Create a Temporary X.509 Certificate for Message Security

Use the following steps to create a temporary X.509 certificate for message security:

1. Create a certificate to act as your Root Certificate Authority

makecert -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.cer

2. Create a Certificate Revocation List File from the Root Certificate

makecert -crl -n "CN=RootCATest" -r -sv RootCATest.pvk RootCATest.crl

3. Install your Root Certificate Authority on the server and client machines. Use MMC to install the RootCATes.cer on client and server machines in the Trusted Root Certification Authorities store

4. Install the Certificate Revocation List file on the server and client machines. Use MMC to install the RootCATes.crl on client and server machines in the Trusted Root Certification Authorities

5. Create and install your temporary service certificate

makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=tempCert" -ic RootCATest.cer –sr localmachine -ss my -sky exchange -pe

6. Give the WCF Process Identity Access to the Temporary Certificate’s Private Key

7. FindPrivateKey.exe My LocalMachine -n "CN=tempCert"

cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\



The value "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" should be the one returned by findprivatekey

Wednesday, December 17, 2008

Importance of DMBS_Assert Package for Security

The DBMS_ASSERT package was introduced in Oracle 10g Release 2 and backported to Release 1 in the Oracle October 2005 Critical Patch Update. There are currently no references to this package in the 10g Release 2 documentation or on Metalink. The package contains a number of functions that can be used to sanitize user input and help to guard against SQL injection in applications that don't use bind variables.

Enquotes a string literal
Encloses a name in double quotes
NOOP Functions
Returns the value without any checking
Verifies that the input string is a qualified SQL name
Verifies that the input string is an existing schema name
Verifies that the input string is a simple SQL name
Verifies that the input parameter string is a qualified SQL identifier of an existing SQL object

It is this DBMS_Assert Package that that guarantees immunity to SQL Injection.

Preventing SQL Injection in Oracle

There are three kinds of SQL literal: text, datetime, and numeric. Each deserves separate attention.

Ensuring safety of Datetime literal

  • Use the two-parameter overload, for an input of datatype date, To_Char(d, Fmt), to compose a SQL datetime literal
  • Concatenate one single quote character before the start of this value and one single quote character after its end.
  • Assert that the result is safe with DBMS_Assert.Enquote_Literal().
  • Compose the date predicate in the SQL statement using the two-parameter overload for To_Date(t, Fmt) and using the identical value for Fmt as was used to compose t.
Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first two and the fourth mandates prevent annoying run-time errors.

The procedure p_Safe(), whose first few lines are shown in code below implements this approach. Of course, date is not the only datetime datatype. The same reasoning applies for, for example, a timestamp literal.

-- Code

procedure p_Safe(d in date) is
q constant varchar2(1) := '''';

-- Choose precision according to purpose.
Fmt constant varchar2(32767) := 'J hh24:mi:ss';

Safe_Date_Literal constant varchar2(32767) :=
Sys.DBMS_Assert.Enquote_Literal(q||To_Char(d, Fmt)||q);

Fmt_Literal constant varchar2(32767) := q||Fmt||q;
Safe_Stmt constant varchar2(32767) :=
' insert into t(d) values(To_Date('
|| Safe_Date_Literal
|| ', '
|| Fmt_Literal
|| '))';
execute immediate Safe_Stmt;

Ensuring the safety of a SQL text literal

The rules for composing a safe SQL text literal from a PL/SQL text value:

  • Replace each singleton occurrence, within the PL/SQL text value, of the single quote character with two consecutive single quote characters.
  • Concatenate one single quote character before the start of the value and one single quote character after the end of the value.
  • Assert that the result is safe with DBMS_Assert.Enquote_Literal()
Notice that the mandate in the third bullet is the crucial one. It is this one that guarantees immunity to injection; the first mandate prevents annoying run-time errors.

Ensuring the safety of a SQL numeric literal or simple SQL name

The rules for composing a safe SQL numeric literal from a PL/SQL numeric value:
  • Use explicit conversion with the To_Char() overload with three formal parameters. This overload requires that a value be supplied for Fmt. Explicitly provide the value that supplies the default when the overload with one formal parameter is used. This is 'TM'. 'TM' is the so-called text minimum number format model. It returns the smallest number of characters possible in fixed notation unless the output exceeds 64 characters.
  • Explicitly provide the value that supplies the default for the NLS_Numeric_Characters parameter when the one of the overloads with one or two formal parameters is used. This is '.,'.
  • Ensure the safety of the name with DBMS_Assert.Simple_Sql_Name().

Tuesday, December 16, 2008

How to Configure WCF for NATs and Firewalls

NATs and firewalls can impact the strategy by which your WCF clients and services communicate.
Use the following steps to determine WCF configuration for a NAT or firewall:

1. Determine the addressability of the service and client machines. If the service or the client are behind a NAT and are not directly addressable then use a technology such as Microsoft Teredo to enable communication.
2. Determine if there are protocol or port constraints on the service or client machines. For example, port 80 may be open through a firewall but other ports may be blocked.

Once you understand the addressability, protocol and port constraints on your service and its clients you can determine service and endpoint configuration. Use the table in the MSDN article “Working with NATS and Firewalls” at to determine the best configuration for your scenario.

Pan India Solutions Community

The Pan India Solutions Community has been created to provide a networking platform to software professionals,business analyst,technology analyst and students planning for a career in the field of IT Solutions.

This is the first of it's kind Pan India group.The group will organize regular boot camps , on-line solution challenge contests, pod casts , sharing of white papers and articles amongst members.

You can also join the group on linkedin>groups>solutionscommunity

Presentations of First Boot Camp Organized can be found at links below:

Monday, December 15, 2008

Avoiding Clear Text Passwords

Perform the following steps to avoid sending cleartext passwords over the network:

  • If possible, remove the need for a password at all by specifying ClientCredentialType=”Windows”, ClientCredentialType=”Certificate”, or a custom token that does not require a password.

  • If the user must enter a password, protect the password by specifying either to secure the channel or to secure the messages. Do not specify in the configuration as this will provide no communication security.

Monday, November 24, 2008

Impersonation without Windows Authentication

How to Impersonate the Original Caller without Windows Authentication

When using non-windows authentication like Certificate Authentication or username authentication, if you need to impersonate the original caller (if it has windows account) or a service account you have following 2 options

1. Using the S4U Kerberos extensions - For this you must grant your process account the "Act as part of the operating system" user right.
2. Using the LogonUser windows API - this needs to have access to the user credentials (username and password) - which increases the security risk of maintaining the user credentials in WCF Service.

Note: S4U Kerberos extensions places your process within the trusted computing base (TCB) of the Web server, which makes your Web server process very highly privileged. Where possible, you should avoid this approach because an attacker who manages to inject code and compromise your Web application will have unrestricted capabilities on the local computer.

Tuesday, November 18, 2008

Disabling Discovery

Microsoft WCF 3.5: How to Stop Clients from Referencing Your Service

If you want block clients from accessing the WSDL of your service you should remove all metadata exchange endpoints and set the httpGetEnabled and httpsGetEnabled attributes to false.

If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe) and inspect potentially sensitive methods and parameters offered by the service.

To stop your clients from referencing your service, stop your service from publishing its metadata. To do this, remove all the Mex endpoints from your service configuration and configure HttpGetEnabled and HttpsGetEnabled to false in the ServiceBehavior section as shown below:

serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"

Saturday, September 27, 2008

Effective Software Security Management

Few excerpts from my white paper on 'Effective Software Security Management'

If you wonder “What makes secure software different?” you would realize that security is an innate property of the software which was expected to be built in. Unfortunately, most of applications lack security today. The traditional practices used to develop outsourced applications are no more effective. Even the Indian IT services companies lag in improvising their SDLC at the same pace with the global industry. One of the weakest areas where these companies fall is Software Security. Current business environment is fraught with risks. The applications demand tight software security embedded inside to prevent hackers getting in. To incorporate software security measures, enterprises need to change their existing application development lifecycle.

The current scenario is such that many companies to an extent have started addressing security earlier in the lifecycle to mitigate the risks of application security attacks. But, there is still room for improvement. The application security landscape is changing rapidly.

Customers outsourcing applications need to ensure the application development lifecycle of the IT services provider embark software security inline. The IT services companies on the other hand need to develop confidence in the customer for software security levels in their SDLC.

Maintaining a high level of security is no simple proposition. One of the key issues with outsourced applications is that unlike functional concerns, non-functional concerns of application like security and performance are always given lower priority. If the services companies fail to understand the importance of these non-functional factors, the customer is at loss. At the end, if these security defects are injected due to lack of measures taken during SDLC, it may destroy customer value and trust.

Growing Demand of Moving Security Higher in SDLC

Application Security has emerged as a key component in overall enterprise defense strategy. Companies that build a strong line of defense usually learn to think like an attacker. Often is a developer is asked to wear two hats: one as developer that works in complex distributed environments, and the other as a security expert who builds software security. Organizations that understand application security practices and priorities are using resources far more effectively than in years past, while avoiding costly and potentially crippling problems.

In the years past, anti-virus software, firewalls, intrusion detection and intrusion prevention systems have been successful enough to protect network and hosts. While still the bulk of attacks happen at network layer, attackers have been successful compromising the application with lower ratio of making applications as targets. The industry reports of organization suffering application attacks with significant downtime in the application or loss of customer data. Financial institutions, Healthcare providers, Retailers, Telecom Industry or even IT Companies have not been able to get escaped from becoming a victim of application attacks. The impact of these attacks have been damage to their brand name, loss in revenue, loss of customer data, system or network downtime and even legal issues with compliance to PCI (Payment Card Industry) or SOX (Sarbanes-Oxley) standards.

In the current world, software security assurance needs to be addressed holistically and systematically in the same way as quality and safety. Most of the assurance can be driven by improved software development practices. It is also important to realize that the security cost factor increases as you move down the SDLC.

Sunday, September 07, 2008

My Experience taking AppSec Workshops...

Hi All,

I have been taking Application Security workshops for the developers, architects and testers for more than 3.5 years now and I thought to share my experience of taking these AppSec Workshops and talking to the folks around in the workshops....

Here are a bit of experiment to share my learning's for everyone's benefit....

1. Requires Art to Involve Developers: While trying to talk to developers and breaking their myths about security, I have realized that the workshop needs a great deal of involvement.

"Tell me and I forget, teach me and I may remember, involve me and I learn" - Benjamin Franklin, is the perfectly apt for these kinda workshops too. Dealing with developers, I had to engage with them to make and help them realize the impact of security in building software. Giving real life examples - and perhaps by excitement, involving them by fun, through relevancy, through problem solving and through emotions.

2. Requires Art that can create excitement: Very often it is important that I need to bring in the momentum by showcasing demonstrations that brings in the excitement and keeps it up. I have realized some pitfalls too. Thinking that people would get excited as soon as they hear about an opinion or about a product, Thinking that the audience would be automatically enthusiatic if I am & Thinking I can create excitement by hitting the audience with "Everything I have got".

I started to engineer "kickers" for my audience. For example, once I said them I am going to show a magic. I have got a magic software in which if you enter your details tells something about your personal life. This created an atmosphere of curiousity & skepticism where people started thinking how can this be and how true it is. Smart people started thinking from where can I can hack their personal information. :) Whatever, but the faces from audience could tell me that all eyes were hitting me constantly, on all my moves and all the words I speak. In reality, I had done some background work for my audience to find their personal information from different people / places / sites that I knew and would be really interesting to them that others knew about it. I leave it to you to guess what all these things can be.. !! But my main aim was to make them think about where have they leaked this sensitive information, how it has been, make them think of a situation that if this data is misused what can happen, and finally for a day I wanted them to think like ATTACKERS ... So yes, the kicker worked both in creating the excitement as well as having them into the workshop with a different attitude. Thereon, I have been always trying to engineer different "kickers" for my workshops and fortunately most of them have been working superbly. 

3. Requires Persuasion with stories at times: Story telling reveals meaning without committing the error of defining it. Stories are  great persuaders because they create a sympathetic emotional response with an audience. For example, sharing some of my conversations with customers regarding security related defects, sharing the managers capability to overcome all the budget issues and still fix security defects and it used to make a difference. Crunch is if I tell the audience about the most embarassing thing that ever happened to me, every member, on some level, was thinking either about the similar moment is their lives or how they feel if put into my situation. Emotions in the stories were helping me guide the decisions and can be a catalyst in helping the audience gain acceptance quickly. 

4. Workshop that persuades with humour: The audience laugh could connect better and could make points memorable. It used to be like pleasant lubricant to the flow of information. More than that, I could feel completely in control when I can hear a wave of laughter coming back at me that I have caused. So this comedy was very controlling. I also prepared savers. Not every joke works !! A piece of self deprecating humour after the joke bombs. The key aspects I learnt while practising in every workshop were, I had to memorize the punch lines, try to localize the humour, deliver key phrases in the setup slowly and clearly, let the people know when the punch line is coming & after the joke bombs, pause & wait for laugh and regain control over the audience. :)

In different workshops, I tried different things. Sometimes adding humour to introduce myself, adding humour to introduce a subject, to reinforce a key point after I had made it, to diffuse anger or hostility at times or to diffuse criticism. 

5. The Day that Inspires: I always used to dream that my workshop day should be one where everyone considers leaving their current job and thinks to work with me.... hahaaa...I knew it's not possible. I only wanted them to be inspired by what I can present. Every developer had to be told there is much more than just the functionality of the software and the standard security measures they had been taking. It had to be a presentation that inspires, presents an action, if taken, will connect my audience to something extremely great or meaningful. I used to think that you have to be a gifted genius, a sainted visionary or touched by great spiritual force to inspire the audience, but I was wrong. Slowly I learnt the way to inspire, creating a vision, asking deep in heart - "what does my audience need or want to believe?",looking for greatness in small everyday type software development practices. I knew if the vision sticks, it was time of call to action.

6. Welcoming to the Real Security Perception: Most of my audience would come in carrying a very different perception of what security is, how much security is required and how it can be bolted in. The challenge was to change the perception. If the audience has a negative attitude towards a proposal, it will be hard to win an approval. Every attitude is formed from the initial perceptions that created it. Change those perceptions & you can change the attitude. Change the attitude and a new behaviour can be followed. This is what I did learn while all these workshops. I often redefined their process of evaluating the software security, the attributes, the nice to have features, the must have features, etc.

Saturday, September 06, 2008

New Rogue Security Product: Smart Antivirus 2009

Smart Antivirus 2009 is a new rogue security product and a near clone of AntiSpyware 2008

Smart Antivirus 2009

Smart Antivirus 2009 Home page

Smart Antivirus 2009 HomePage

Typical fake/Scare scan page

Smart Antivirus 2009 Scannerpage

List of sites used in this scam

Smartantivirus2009. com
Smartantivirus-2009. com
Smart-antivirus2009. com
Smart-antivirus-2009. com
Smartantivirus2009buy. com
Smart-antivirus2009buy. com
Smart-antivirus-2009-buy. com
Smart-antivirus-2009buy. com
Smart-antivirus2009-buy. com
Smartantivirus-2009-buy. com
Smartantivirus-2009buy. com
Smartantivirus2009-buy. com

Friday, August 08, 2008

Dedicated Internet Security Researchers Worldwide Band Together in ...

Dedicated Internet Security Researchers Worldwide Band Together in New York City at the Largest Application Security Focused Conference on Sept 22nd-25th

The OWASP Foundation ( has posted their final speaker selection for their upcoming conference in New York City. The conference will take place September 22nd - 25th, downtown at Pace University, located at One Pace Plaza.This application security world conference will be the largest OWASP conference ever. The Keynote Speakers for this event will include Howard A. Schmidt, Former White House Cyber Security Advisor, Joe Jarzombek, the Director for Software Assurance in the Department of Homeland Security (DHS), and Jeff Williams, Chairman of the OWASP Foundation. Jeremiah Grossman, Robert "RSnake" Hansen, along with many other well known application security pioneers, will present new research, findings and solutions. This conference is limited to only 1,000 attendees, so reserve your spot immediately.

The OWASP conference is focused on making educators, developers, managers and security professionals aware of the new techniques in Hacking, BotNet and management of the Software Development Lifecycle (SDLC) that are critical for industry standards and regulations such as PCI, ISO, GLBA, SOX, HIPAA and FISMA.

"New York City is the epicenter of the World Financial Industry. This makes it a prime target for attackers and the best place to hold the OWASP Conference. OWASP's contributors are focused on making people aware of the tools and techniques that hackers are using to make Cyber-Crime a multi-billion dollar a year industry," said Tom Brennan, OWASP Foundation Board Member and NYC Conference Organizer.

The conference is sponsored by many industry leading companies such as Imperva, IBM, WhiteHat Security, Cenzic, ISC(2), F5, Breach, Foundstone, Acunetix, AccessIT, Artec, Airtight, Art of Defense & Security University, just to name a few that will also be on exhibit.Proceeds from OWASP conferences and their sponsors help fund many projects and grants, including industry leading publications as the OWASP Top-10, OWASP Development Guide, Testing Guide & Code Review Guides.

Wednesday, July 16, 2008

Ever put your CV on a job site?

McAfee Reports Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as and Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted in the past. The latest target is another big recruitment site - Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!! phishing site phishing site

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

Tuesday, June 10, 2008

Windows Defrag Shows It All !!

I am sure you must have seen this 'ACCESS DENIED' screen if you try and enter the protected 'System Volume Information' folder on your Hard Drive.

Any idea what is there inside the 'System Volume Information' folder there? Well, windows indeed stores a lot of information that is required to be protected there and all the windows restore points are also present in this folder.

Now, security doesn't seem to have covered at all the places in windows. What happens is the path inside System Volume Information is protected by a folder structure which is not easy to guess.

The flaw lies in Windows Defragmentation.

Windows Defragmentation does not hide the fragmented files present in System Volume Information folder. If the folder structure is revealed here, you get access to lot more sensitive information. This includes windows registry, SAM files, etc.

So, if I save this report and view the actual path inside the System Volume Information,

I use this path to get inside System Volume Information folder using explorer and I now have the access to "protected" files like SAM file and lots of other information.

Thursday, May 29, 2008

Developing Software Security Requirements

Software Security Requirements Engineering

Users may not be totally aware of the security risks, risks to the mission, and vulnerabilities associated with their system.

Commonly Used Techniques for Capturing Security Requirements can be broadly categorized as a top-down or a bottom-up analysis of possible security failures that could cause risk to the organization.

1. Fault Tree: Analysis for security is a top-down approach to identifying vulnerabilities. In a fault tree, the attacker’s goal is placed at the top of the tree. Then, the analyst documents possible alternatives for achieving that attacker goal. For each alternative, the analyst may recursively add precursor alternatives for achieving the subgoals that compose the main attacker goal. This process is repeated for each attacker goal. By examining the lowest level nodes of the resulting attack tree, the analyst can then identify all possible techniques for violating the system’s security; preventions for these techniques could then be specified as security requirements for the system.

2. Failure Modes and Effects Analysis (FMEA) is a bottom-up approach for analyzing possible security failures. The consequences of a simultaneous failure of all existing or planned security protection mechanisms are documented, and the impact of each failure on the system’s mission and stakeholders is traced.

Other techniques for developing system security requirements include threat modeling and misuse and abuse cases.

Monday, April 28, 2008

Can Security be incorporated in the Computer Science & IT courses?

Attacks on the web systems have become a common place and most of the issues have been attributed to software vulnerabilities. The IT software industry has recognized the importance of building secure software systems by incorporating security in their SDLC.

What amuses me is that the situation can be much better improved by integrating the basic security mantras in the graduate programs of Computer Science and Information Technology courses. The engineering courses for Computer Science and Information Technology at least can be sought to have the security touch points to enable the fresh candidates understand security implications while building software.

Currently, most security efforts at the university courses are in the form of specialized security classes which address particular topics in form of network security or cryptography. In contrast to the integrated approach currently being used in industry, education continues to handle security as an afterthought.

Something that everyone in the engineering courses would have learnt would be Database Management Systems (DBMS) and Web Technologies. Let’s take an example, we were taught that writing stored procedures are better compared to writing dynamic SQL because they are pre-compiled and hence better in terms of software performance. But we were not taught that stored procedures also helps protect you from a security threat called SQL Injection which is one of the most common attack.

My proposal is to plot security in the engineering curriculum with core courses. It just requires infusion as a subset in the main subjects. The concept of robust programming is native to secure coding. It is imperative to teach students that safe and reliable programs are inherently more secure.

The classic Software Development Lifecycle (SDLC) includes analysis, design, implementation, testing, and maintenance. Incorporating security into the SDLC yields the Secure Development Lifecycle. The touch points in the course should be Security Requirements and Analysis, Security Design, Security Implementation and Security Testing. Something that is fundamental to software programming and security assurance becomes the security coding mantras. A few are mentioned below.
• Principle of Defense in Depth
• Principle of Least Privilege
• Do not trust any user input
• By default Deny
• Assume the Impossible
• Graceful degradation on error

The idea is to make students aware of these small mantras while learning software programming. These small changes make a huge impact on the student who enters the industry and is already aware of security best practices if not all the attacks. It makes a great value add for the organizations too to hire a candidate with basic security knowledge. The ability to write secure code should be a fundamental to a university computer science as basic literacy. I am sure that the industry will also appreciate if the universities accept these changing demands.

Dharmesh Mehta
Technical Analyst, Mastek

Tuesday, April 08, 2008

Polymorphic Exploitation

The emerging attacks by attackers which is dynamically changing each time a potential victim visits the malicious page is defying the traditional regular-expression and heuristic-based protection that identifies Web exploits at the network or host.

The attacker are very effective in creating a unique exploit with each request and making it impossible for signature-based protection engines to uniquely detect each attack instance.

The major driving factor for the attacker still remains Financial gain. Stealing personal data, hijacking Web transactions, executing phishing scams and perpetrating corporate espionage
are all motivators.

Traditional security techniques focus on stopping file execution and viruses at the client’s operating system (OS) layer. Unfortunately, it is far more difficult to protect users at the browser level. While some signature-based protection is able to detect one layer of Web exploit obfuscation, polymorphic exploitation will pose a new problem.

Proposed countermeasures for Web 2.0 and client side attacks include:
• Educating Web developers on the need for secure coding throughout the development lifecycle, with emphasis on input validation.
• Transitioning from finger-print or pattern matching protection to heuristics or behavior-based protection.
• Enabling protection engines to understand JavaScript just as the browser does.
• Utilizing feedback networks to analyze malicious Web sites, encourage remediation and improve content filtering at the browser level.

Friday, April 04, 2008

Beyond Burp & Paros

Most of you in the world of Web Application Security would have heard about Burp, Paros, WebScarab and other proxy tools to intercept the web (HTTP/HTTPS) requests and able to fiddle around with the parameters.

Going beyond the normal web request proxy tools to intercept the request and fiddle around, what tools do we use to intercept Thick Client Applications?

I have come across the tools like
I think they have been useful, but it is really tedious to get in the relevant data for tampering and be successful. These tools are in fact information tanks where in one will need to mine out relevant things for attacks or testing. :)

Saturday, March 22, 2008

OWASP Summer of Code 2008

OWASP is now launching the Summer of Code 2008 (SoC 2008)

  • The SoC 2008 is an open sponsorship program were participants/developers are paid to work on OWASP (and web security) related projects.
  • The SoC 2008 is also an opportunity for external individual or company sponsors to challenge the participants/developers to work in areas in which they are willing to invest additional funding.
  • The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. The mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks.
  • The only requirement is that the candidate shows the potential to accomplish the project's objectives/deliveries and the commitment to dedicate the time required to complete it in the appropriate period.

More Details

Friday, March 21, 2008

Hacking Web Applications – Truly Simple

Application Hacking is the trend of the industry. It started with viruses and worms – The age of anti-virus. It evolved with the internet as more corporations developed internal and external networks – The age of Network Security. Now as industry has been powered with World Wide Web, information security has reached its third age – The age of Application Security. Application attack is one of the hardest attacks to recognize and defend against, as it uses your programs and systems against you.

If we recall the attacks few years back, we see that most of the organizations including NASA, CIA and Yahoo were attacked. These attacks were mostly at network layer of the corporate systems. The network layer is now very secure and hackers find it difficult if not impossible to attack at the network layer. Today, applications are the target. Attackers steal credit card numbers from bank site and an intruder breaks into a corporate application stealing sensitive employee information. Hackers use the application sitting behind the strong firewall and use a loop hole in the application to access corporate and customer data. As the industry embraces the benefits of e-business, the use of Web based technologies will continue to grow. However, as these technologies evolve, the vulnerabilities are being discovered at a similar rate. Secure implementation of these technologies cannot be achieved without a consistent approach to Web Application Security. Also the convergence of regulatory demands for application security with an increasingly security-savvy software buyer is driving a serious impetus for change.

Whether a security breach is made public or confined internally, the fact that a hacker has broken into your online assets should be a huge concern to organizations. Quite a large number of organizations are reactive to security incidents, pretending that the problem will go away. They respond with short-term fixes and the problems re-emerge rapidly. They fail to recognize the value of information and company reputation as opposed to cost of addressing security vulnerabilities.

Unlike certain worms and viruses that exploit the network security weaknesses, web application attacks go after flaws in the application itself. For example, an attacker could tamper with a part of HTTP request and use buffer overflows to corrupt an application by having it execute arbitrary code. In this way, an attacker could take control of the web or application server.

Ahh! We have a very strong password policy. But are passwords sufficient? Passwords are only as trustworthy as the people using them. If you rely on passwords to protect your online assets, then you are relying entirely on the people logging in and out. Let’s just draw a real world example. With popularity of social networking sites like, we find thousands of people listing down their organization name and their work profile in public. What’s more concerning is they also list their family members with information of names and ages of their children. There is very high probability that a hacker may be able to find out a person’s password from the above information and get inside the organization’s defenses very quickly. Passwords are not sufficient to provide security to your online applications.

Does your firewall protect online assets? The traditional function of a firewall is to regulate the ports and services running on the server. Web applications by and large use port 80; and the firewall keeps this port open. This is the gold spot for the attackers. The beauty of application attack lies in sneaking through your firewall and use the application itself to break it. Firewalls cannot protect you from this happening.

With hacking tools being readily available and the complexity of attacking decreasing, it is relatively easy to find flaws in an application. A hacker could easily change the hidden fields of an online shopping site indicating price and smartly walk away without paying money. This is largely because while building applications, some of the most basic security measures, to keep information secure, were ignored. The cost of poor application security can be far greater than most organizations can imagine.

Organizations must take a proactive approach in protecting their critical web applications. The need lies in understanding how important application security is in the software development cycle. Application security must align as early as during requirement gathering, making way in secure design, development and deployment.

We are witnessing the emergence of more security-savvy buyer of software asking questions about the security practices and those are having a big impact on purchase decision. In long run, these companies will surely enjoy a higher return on investment.

Wednesday, February 20, 2008

Virtualization : Is it Secure?

Virtual machines are often used by security researchers to sandbox malware samples for analysis, or to protect a machine from a potentially hazardous activity. The theory is that any security threat or malicious behaviour will be restricted to the virtual environment which can be discarded and then restored to pristine condition after use.

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine.

investigated this topic and presented a paper at CanSecWest on a number of ways that an attacker could break out of a virtual machine.

Most of the attacks identified were flaws, such as buffer overflows, in emulated hardware devices. One example of this is missing bounds checking in bitblt routines, which are used for moving rectangular blocks of data around the display. If exploited, by specifying pathological parameters for the operation, this could lead to an attacker compromising the virtual machine process.

While you would typically require root (or equivalent) privileges in the guest to interact with a device at the low level required, device drivers will often offload the parameter checking required onto the hardware, so in theory an unprivileged attacker could be able to access flaws like this by simply interacting with the regular API or system call interface provided by the guest operating system.

Things you can do to help end Phishing

  • Learn to recognize and avoid phishing. The Anti-Phishing Working Group has a good list of recommendations.

  • Update your software regularly and run an anti-virus program. If a cyber-criminal gains control of your computer through a virus or a software security flaw, he doesn't need to resort to phishing to steal your information.

  • Use different passwords on different sites and change them periodically. Phishers routinely try to log in to high-value targets, like online banking sites, with the passwords they steal for lower-value sites, like webmail and social networking services.

Tuesday, February 12, 2008

Using IT to Combat Money Laundering

Money Laundering in simple words is about making money that comes from a ‘source a’ look like it has come from ‘source b’. This in world of software is also called repudiating one’s identity. Money Laundering has been practiced generally by criminals trying to disguise the origins of money obtained from illegal activities to craft them in a way that they seem to originate from legitimate sources. This is mainly to prevent them connect them to criminal activity. The most common offenders in this process are drug traffickers, corrupt politicians, terrorists and con artists.

Financial Institutions and Banking Institutions are amongst the most vulnerable to Money Laundering as illegal money enters the economy via banks in the form of large cash deposits or illicit financial transactions.

Money Laundering typically has 3 main phases – Placement, Layering and Integration. The common methods used in each of these phases are mentioned below:

1. Placement Stage: This prefers to the physical disposal of bulk cash proceeds derived from illegal activity.
a. Cash paid into bank (mostly with staff involvement or mixed with proceeds of legitimate business.
b. Cash used to purchase high value goods, property or business assets.
c. Cash being exported.

2. Layering Stage: This refers to the separation of illegal entrance of money from their source by creating complex layers of financial transactions. Layering conceals the audit trail and provides anonymity.
a. Several bank to bank transfers
b. e-transactions between different accounts in different names in different countries
c. Changing money’s currency
d. Resale of goods or assets

3. Integration Stage: This refers to the reinjection of the laundered proceeds back into the economy in such a way that they re-enter the financial system as normal business funds.
a. False loan payments
b. Forged invoices used as cover
c. Presenting income from property or legitimate business assets to appear clean

Using Information Technology to combat Money Laundering

While money laundering techniques are becoming sophisticated, so is the technology used to fight it. IT systems cannot be viewed as perfect solutions for Anti-Money Laundering techniques, but current packages have following to offer. Use of these packages enables banks to know and understand their customers and their financial dealings to help them manage risks prudently.

1. Competent for Name Analysis
2. Offer case based account documentation acceptance and rectification
3. Assess Money Laundering Risks at both Account and Customer levels
4. Rules-based systems
5. Include Statistical and Profiling engines for monitoring customers
6. Use Neural Networks and Link Analysis to detect frauds
7. Time sequence matching to prevent Hawala cases
8. Can monitoring transactions for suspicious activity
9. Helps ensure compliance to Banking or Financial standards for Anti Money Laundering
10. Investigation Tools

Effect On Our Economy

Money laundering is one of the ongoing problems facing the international economy. The economic effects are on a broader scale. Developing countries often bear the brunt of modern money laundering because the governments are still in the process of establishing regulations for their newly privatized financial sectors. There is also a growing realization about the extent that money laundering and its relationship with organized crime are interlinked.

The huge profits that accrue to these criminals from areas such as drug trafficking, international fraud, arms dealing, trafficking in human organs, will be used not only to facilitate ongoing operations, but to consolidate the wealth, prestige and respectability of those in control of the criminal business.

Hawala transactions have a huge impact on the economy. Various commercial activities get influenced. In fact, the price of land has been spiraling due to the activities of this mafia. The root of the problem can be traced to the policies of Government both at the Centre and the State. Inflation, rise in the land prices and circulation of black money are among the effect of money laundering methods circulating in the system. If left uncontrolled, it would lead to creation of a parallel economy which will destabilize our country. These artificially created inflated financial sectors create errors in economic policies. Massive influxes of dirty cash into particular areas of the economy that are desirable to money launderers create false demand, and officials act on this new demand by adjusting economic policy.

Issues on a local scale relate to taxation and small-business competition. Money from illegal activity is often untaxed which means the rest of us ultimately have to make up the loss in tax revenue. Also, legitimate small businesses can't compete with money-laundering front businesses that can afford to sell a product for cheaper because their primary purpose is to clean money, not turn a profit.

Money Laundering is a major concern because of its scale, its capacity to exploit and influence the legitimate business world and its capacity for internationalization. These concerns have led to concerted international action for a solution to combat this growing menace called Money Laundering.

Tuesday, January 29, 2008

Guarding Against Credit Card Frauds

The percentage of people using plastic money (cards) for transactions is growing day by day and so are the card scams rising along. We often hear or read about credit card frauds in our daily and how people end up in nightmares seeing huge bills for things they actually have never purchased. Likewise even the credit card companies are paying off handsome amount from their profit share to cover these fraudulent transactions.

Let me bring up few ways in which these frauds happen. By and large for physical credit card transactions, the deception story starts when the person who takes your card for swipe copies your card information to some other device. Later these details are copied to fake cards which are genuine card look alike with complete hologram markings and logos. The poor card holder remains completely unaware that his card has been cloned until he notices bill amounts of things he has never purchased. One of the other common methods is making a hoax call (often representing as card issuer authority) to the card holder and trying to retrieve card details. Credit card bills lying in trash cans or public places are other avenues where fraud originates.

Regarding users using cards for online transactions, one can see a large number of ways in which card data can be compromised. Falling in prey of a nice email asking for card details in return of discounts, or emailing card details to a friend or being a victim of card details being copied by an illegal software installed in cyber cafes are most common lines of attack sources.

One of the reasons in increasing successful frauds is inadequate knowledge of the card owner on proper use of credit cards. Here’s how credit card owners can better safeguard from these frauds.
• Over a credit card transaction, keep an eye on your card as it is being swiped. Make sure it is being swiped only once for a single successful transaction and get back your card as quickly as possible.
• Sign your credit card as soon as you receive it.
• Be protective of your credit card number so that others around you can't copy it or capture it on a cell phone or camera.
• Be prompt in keeping a check on your credit card bills to verify there are no bogus charges. For any charges that you don’t recognize, report these charges promptly to the card issuer.
• For people using cards at hotels or restaurants, remember to draw a line through blank portions of the receipt where additional charges could be fraudulently added other than hotel tips.
• In case of change of your billing address, notify your credit card issuers in advance so that bills reach safe hands.
• Save your receipts so you can compare them with your monthly bills.
• Always give your phone number to the company for verification of suspicious transactions.
• Be wary of any phone call or email seeking details of your account.
• Never give away photocopies of both sides of your credit card for any purpose.
• For online transactions, using credit card, remember to go by HTTPS and not HTTP.
• Avoid having e-transactions in a publicly share machine like Internet café or open free wireless network.

Wednesday, January 09, 2008

Online Banking Security

Banks today are increasingly getting introduced to a number of security threats. The ones in headlines have been Phishing, Key Logging and Man-in-the-Middle. We will find a number of online banking users who are naïve to this kind of technology and the threats associated with it. It is necessary to help them understand the precautions they must take to prevent being a victim of online theft.

Consumer education becomes a key element to prevent the manifestation of a number of risks into frauds. It is much easier for the experienced eyes of an internet-savvy user to detect potential phishing attempts when compared with a customer who has recently migrated from old school of banking to more recent modes.

On a happy note, there are solutions in the market to tackle problems of phishing, key loggers and man-in-the-middle attacks. But these are expensive solutions and not full proof.

Business Security Buy-In: Given the customer base or other reasons, it has not been easy for the banks to justify investing in secure solutions for online banking. In fact, many banks are willing to compensate for the fraud losses of the customers as they find it more cost effective than putting up a secure solution.

Security Challenges: Banks have to continuously evaluate the risks, cost of technology solutions and even upgradations. .It gets all the more challenging due to a variety of technological solutions available in the market, each addressing individual problems but none offering a one-stop solution.

Tuesday, January 08, 2008

Typo-Squatting - In the Spotlight

A dangerous cyber practice known as Typo-Squatting is in spotlight again. Attackers or Typo-squatters register domains using common misspellings of popular brands, products, and people in order to redirect consumers to alternative websites.

Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter. If the intended website is ""

  • A common misspelling, or foreign language spelling, of the intended site:
  • A misspelling based on typing errors: or
  • A differently phrased domain name:
  • A different top-level domain:
Once in the typo-squatter's site, the user may be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.

Monday, January 07, 2008

How to Build Secure Software

This article on "How to build Secure Software" written by Dharmesh M Mehta appeared in The Times of India - Bangalore on 7th January 2008.