Security among The Hottest Skills for 2007

With fewer openings this year, expect these five premium skills to win the jobs

Top skills IT executives say they will hire for in 2007:

1. Programming/application development
2. Project management
3. IT/business analysis
4. Security
5. Help desk/technical support

Source: Computerworld's quarterly Vital Signs survey

Using Google to View MySpace or Any Restricted Site

Most companies and schools employ proxy servers to filter unwanted sites so employees won't waste precious company resources surfing sites that the companies deem unproductive. While the use of proxy servers to block unwanted sites may be understandable in commercial cases, there are also companies that are overdoing it, banning almost all websites and creating a lot of inconvenience to their employees.

If you are in such an environment, what can you do about it? One way is to use an anonymous proxy server (such as http://www.spysurfing.com/). But once the system administrator learns about this, he will likely block this site as well. A much more foolproof way is to use Google (yes, you read that right).

Google Translate is a translation service provided by Google to help you translate text or web pages to the language you desire. Some of the languages supported include English, Simplified Chinese, Spanish, French, German, Korean, Japanese, etc.

If you want to translate a page from one language to another, here is the URL format:

http://www.google.com/translate?langpair=en|es&u=www.websiteurl.com

where en|es is the language pair to translate from one language to the other (here it is English to Spanish), and www.websiteurl.com is the site you want to translate.

An interesting workaround to bypass your proxy server is to use Google Translate to translate the page you want to view from English to English, like this:

http://www.google.com/translate?langpair=en|en&u=www.websiteurl.com

Here, since the origin language and the destination language are the same, Google Translate does not perform any translation and hence simply acts as a forwarder and forwards the page you want to view directly to you. As an example, if your workplace/school has blocked MySpace.com, you can use the following URL to view it:

http://www.google.com/translate?langpair=en|en&u=www.myspace.com

Using Google Translate to bypass your proxy servers does not work all of the time. In some instances, it does not work at all. And in some cases, Google Translate will only display the text of the site you want to view (the images will not load), while in other cases you may need to translate the page to other languages before you can view its content.

UI Security Check #1

I was trying to collate a few checks for Web UI Security. Here are somethings for check ONE....
I invite people to put in their suggestions and comments for the same.

#1. Does the UI disclose information that might compromise the security of the system?

• Don’t provide information in error messages that might compromise the security of the system.
• Don’t reveal data store locations and URL’s when they are not necessary
• Mask sensitive information such as SQL Server name, User ID, Password
• Don’t return errors with cross-site scripts
• Don’t allow links to open executables
• Don’t provide error information with clickable links. Convert links to plain text to encourage these to be scrutinized prior to being launched
• Ensure that logs are correctly stripped of sensitive information

Relevance: Developer

Web Services Design Security Considerations

Web Services Design Security Considerations

I. Information Gathering

1. WSDL Retrieval: Identify web method call mechanics
2. SOAP Error Messages
3. Web Method Enumeration: Identify methods not published in the WSDL.

II. Parameter Manipulation

1. Identify mishandling of numerical fields, character strings, Base64 data handling, etc.
2. Identify SQL Injection/XPATH Injection Vulnerabilities
3. XML input data is validated based on an agreed schema.
4. If parameter manipulation is a concern (particularly where messages are routed through multiple intermediary nodes across multiple network links). Messages are digitally signed to ensure that they cannot be tampered with.
5. Determine whether the logging mechanism is vulnerable to arbitrary entry creation via carriage return and line feed injection.
6. Assess the possibility of inserting HTML tags into a HTML based log.
7. Assess the possibility of inserting XML elements and/or attributes into an XML based log.
8. Determine the logging mechanism’s susceptibility to white space injection.
9. Assess the ability of the web service to log messages that contain special separator characters.
10. Assess the handling of log data after reaching the upper log size limit.
11. Assess the web service’s susceptibility to LDAP injection.

III. Authentication and Authorization

1. Web services that support restricted operations or provide sensitive data require and support authentication.
2. Where appropriate, access to publicly accessible Web methods is restricted using declarative principle permission demands.

IV. Sensitive Data

1. Sensitive data in Web service SOAP messages is encrypted using XML encryption OR messages are only passed over encrypted communication channels (for example, using SSL.)
2. Identify the encryption cipher used in the application.
3. Determine the items within web service communications that are encrypted.
4. Determine the items within web service communications that are protected by message integrity checks.

V. Exception Handling

1. SOAP Exceptions are thrown and returned to the client using the standard SOAP element.
2. If application-level exception handling is required a custom SOAP extension is used.

VI. Auditing & Logging

1. The Web service logs transactions and key operations.

VII. Proxy Considerations

1. The URL Behavior property of the Web reference is set to dynamic for added flexibility.
2. The endpoint address in Web Services Description Language (WSDL) is checked for validity.

VIII. Configuration

1. Unnecessary Web service protocols, including HTTP GET and HTTP POST, are disabled.
2. The Web service runs using a least-privileged process account.
3. Debugging and Tracing are disabled.
4. Identify directory traversal vulnerabilities.
5. Assess the level of information disclosure from temporary files.

Alternative to IE and Firefox

An interesting alternative is SecureIE (www.secureie.com) which costs 30$ and seems
to outperform Firefox and IE in the security field (http://tinyurl.com/bjayn).

Design Considerations for Security

1. Do not trust on Client-User Input. Security decisions should not rely on client-side validations; they are made on the server side

2. Identify application to fail gracefully. An approach to exception management should be such that does not reveal any internal software information.

3. Partition the application into public accessible and restricted areas. Isolate higher privileged sections of the application.

4. Granular authorization check for pages and directories.

5. Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security

6. Mechanisms have been identified to secure credentials, authentication tickets, and other sensitive information over network and in persistent stores

Firefox popups

Firefox popups

Like you, I love Firefox for many reasons, including popup blocking. So over the last few weeks I’ve been surprised to see occasional popups.

It turns out that some clever people figured out that you could launch popups from Flash, getting around the Firefox default settings.

Fortunately, you can get around it:

1. Type about:config into the Firefox location bar.
2. Right-click on the page and select New and then Integer.
3. Name it privacy.popups.disable_from_plugins
4. Set the value to 2.

The possible values are:

* 0: Allow all popups from plugins.
* 1: Allow popups, but limit them to dom.popup_maximum.
* 2: Block popups from plugins.
* 3: Block popups from plugins, even on whitelisted sites.

Perspective of Performance and Security in IT

Performance and security are like brothers in IT. They are similar and yet they fight each other at times.

Both performance and security are important inherent qualities in IT systems. Who would not want a fast and secured IT system? You want your home computer to be fast and secured. The bank CEO wants his Internet banking system to be fast and secured for his customers.

This was a very nice article on ACE Team Blog. If you wish to read more...

Here it is: http://blogs.msdn.com/ace_team/archive/2006/07/03/655524.aspx

The Oracle Global Product Security Blog

Have you ever seen this?

The Oracle Global Product Security Blog

Oracle getting committed on security by providing rating to vulnerabilities at the security blog...:)

Security researchers have criticized Oracle in the past for the time the company has taken to fix vulnerabilities.

In July 2005, security experts at Red Database Security outed six flaws, claiming that the company had more than 650 days to fix the security issues.

Peter Finnigan, who first noted the change in policy has provided a great list of tools for auditing and testing oracle databases. If you get a chance, do visit his site at :
http://www.petefinnigan.com

Developing More-Secure Microsoft® ASP.NET 2.0 Applications Now Available

A new book in the Secure Software Development Series, this time from Dominick Baier is now available from Microsoft Press.

It covers ASP.NET 2.0 security features as well as security defenses and design and coding best practices. There’s also a chapter on the not-so-well-understood aspect of building and deploying least-privilege and partial trust ASP.NET 2.0 applications. This is a must-read chapter for Web site hosters.

You can get more info about the book here.

Spoofing threats are usually associated with a wily hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security.

Tampering with data involves the malicious modification of system or user data with or without detection.

Repudiation threats are associated with users—malicious or otherwise—who can deny performing an action without administrators having any way to prove otherwise. An example of a reputability threat is a user performing an illegal operation in a system that lacks the ability to trace such operations.

Information disclosure threats involve the compromising of private or business-critical information through the exposure of that information to individuals who are not supposed to see it.

Denial of service (DoS) threats when carried out deny service to valid users—for example, by making the system temporarily unavailable or unusable or by forcing a reboot or restart of the user’s machine.

Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.

Attacks against IIS

IIS is one of the most widely used Web server platforms on the Internet.
Microsoft's Web Server has been the frequent target over the years.
It has been attacked by various vulnerabilities.

Examples include:

• ::$DATA vulnerability
• showcode.asp vulnerability
• Piggy backing vulnerability
• Privilege command execution
• Buffer Overflow exploits (IIShack.exe)

IIS Components

• IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities.
• Example: Server side scripting, Content Indexing, Web Based printing etc.
• This architecture provides attackers with different functionality to exploit via malicious input.

ISAPI DLL Buffer Overflows

• One of the most extreme security vulnerabilities associated with ISAPI DLLs is the buffer overflow.
• In 2001, IIS servers were ravaged by versions of the Code Red and Nimda worms which were both based on buffer overflow exploits.

Download everything from Microsoft without WGA Check

When you want to download a file from Microsoft a WGA (windows genuine advantage) check is performed. Microsoft installs a small piece of software on your computer that contacts the Microsoft server and checks for validity. If the test fails you will not be able to download the file(s). The following method gives you the ability to download every file from Microsoft without a WGA check.

All you need is the tool mgadiag.exe and the download url of the file that you want to download. Mgadiag.exe is the Microsoft Genuine Advantage Diagnostic Tool. Start this tool and check the value of the “Download Center Code”, this should be seven chars consisting of upper case letters and numbers. Remember that code and open the website of the file that you want to download.

A download page looks similar to this one for Internet Explorer 7. All you need to do is append the following value to the url and you will be able to download the file without a WGA check.

&Hash=”download center code”

Replace the “download center code” with the code that you looked up in the mgadiag.exe tool. This code changes frequently, make sure you have the correct code before starting the downloads.

To sum it up:

1. download mgadiag.exe
2. start mgadiag.exe and look at the download center code
3. visit a download page at microsoft.com
4. append &Hash=”download center code” to the url (example &Hash=6VJPCR9), no quotation marks needed
5. Hit enter

Microsoft is probably going to fix this soon, it is working nevertheless at the moment.

Free Web Proxy List

A web proxy is becoming more and more important in todays internet. Schools and Companys tend to block sites pretty quickly nowadays, especially when the blocking is directed at just a few websites and not every website in that category. Web Proxys might be able to sneak past this policies and display the site in your browser even though it is banned in the network.

How do web proxys work ?

A network bans a website either by its IP, its name or part of its name. A web proxy makes only shows its own address to the network and not the actual destination of the user. The admin of the network will think everything is fine and you are free to reach the site that is banned. The only thing that might happen is that the admin is banning the web proxy as well, but this is not a big deal either. Hundreds of web proxys exist, just switch to a new one and you are ready to visit the banned site again.

Setup your own Web Proxy:

Let us assume that all proxy websites have been banned in your network, you can´t find a single web proxy that is still working. Your best choice is to create your own web proxy at an address that only you know. All you need is the php web proxy poxy and some webspace with php to upload it to. Search google for free webspace php and you should find some hosts that allow you to use php and upload your web proxy to them.

You can alternativly use a cgi web proxy which needs a webspace with cgi enabled.
Web Proxy List:

Please not that the list does not display if the webproxy is able to handle scripts, I did not find a reliable way to make a test for all languages out there, therefor this has not been added to the list. I also removed websites that loaded slowly, displayed errors or forced you to click on an ad before you could use the service.

It is most likely that the name “proxy” might have been banned as well, try using web proxys that do not have proxy i their url, this might help.

oxys that do not have proxy i their url, this might help.

• 75i
• Anonymouse
• Anti Web Filter
• Back Fox
• BBScience
• Bored at School
• Browse at School
• Bypass browser
• Bypass it
• Cecid
• Cgi Proxy
• Clever Proxy
• Conceal Me
• Dark Proxy
• Dave Proxy
• Dejacey
• Desire Proxy
• Direct Proxy
• Dtunnel
• Dzzt
• Famous 5
• Fly Proxy
• Free Proxy
• Free Proxy Server
• Fsurf
• Ghost Click
• Gouc
• Hide and go surf
• Hide your Info
• Hujiko
• Iam new guy
• Idoxy
• IP Bounce
• IP Bouncer
• IP Zap
• Let me By
• Lin Fox
• Modern Proxy
• Mr. Proxy
• My Proxy
• Neo Proxy
• Net Sack
• New Proxy
• Ninja Proxy
• Peoples Proxy
• Perfect Shelter
• PHProxy
• Poxy
• Prime Proxy
• Pr0xy
• Proxy 121
• Proxy 77
• Proxy Anon
• Proxy Craze
• Proxy Drop
• Proxy Gasp
• Proxy Hero
• Proxy Lord
• Proxy Mod
• Proxy Mouse
• Proxy Prince
• Proxy Snow
• Proxy Spy
• Proxy Surf
• Proxytastic
• Proxyz
• Prxxy
• Psurf
• Pure Privacy
• Radio Farda
• Safe for Work
• Safe Hazard
• Safe Surfer
• School Bypasser
• SD9
• Secret Browse
• Smart Proxy
• Student Proxy
• Stupid Censorship
• Surf Anon
• Surf Nameless
• The proxy
• The web tunnel
• TNT Proxy
• To Hide
• Total Upload
• Traceless
• Unblock This
• Unbloxy
• Unipeak
• Url Encoded
• Virtual Browser
• VPN Tunnel
• W3 Proxy
• Website Proxy
• Wkccp
• World Wide Proxy
• Wootage
• Work Browse
• World Want
• XXX Proxy
• Your Free Proxy
• Your Proxy

Error document information and what it indicates.

ODBC Error Code = 37000 (Syntax error or access violation)

[Microsoft][ODBC SQL Server Driver][SQL Server]Line 4: Incorrect syntax near '='.

Data Source = "ECommerceTheArchSupport2" SQL = "SELECT QuickJump_Items.ItemId FROM QuickJump_Items WHERE QuickJump_Items.ItemId <> 0 AND QuickJumpId ="

The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (1:1) to (1:42) in the template file K:\InetPub\clients\login\http\ailment.cfm

The specific sequence of files included or processed is:
K:\INETPUB\CLIENTS\LOGIN\HTTP\AILMENT.CFM

This error message indicates that the target web application if running Microsoft SQL and discloses directory structures.

How do you use RSA for both authentication and secrecy?

RSA is based upon public key/private key concept.

For authentication one can encrypt the hash (MD5/SHA) of the data with a private key. This is known as digital signature.

And secrecy / confidentiality is achieved by encrypting the data with the public key of the target user.

Generally we dont use RSA for encryption because of key size (1024 bits).
Rather a symmetric session key (128/256 bit) is established between communicating parties and is used for encryption.

Performance Testing Tools [.NET]

*Network Analysis Tool – application EKG by Leadbyte (http://www.leadbyte.com/)

*ASP.NET Profiling Tool – Ants Profiler by red-gate software (http://www.red-gate.com/)

Built-in Tools – IIS Log, SQL Profiler, SQL QA, Event Viewer, Perfmon/Sysmon, and ASP.NET Trace

New !! OWASP Mumbai Chapter Activity Site

Hey I have got gr8 thing to share....

I have made a new Site for detailing OWASP Mumbai Chapter Activities.
Please have a look at the site to download the presentations of OWASP Chapter Meetings, Read Meeting Notes, View Meeting Snaps and much more....

Link: http://owasp.mumbai.googlepages.com/

Do send me your response...

~ Dharmesh

Registrations for OWASP Mumbai Meet [31st July 15:00hrs]

Hi All,

Everyone is welcome to join us at our next chapter meet to be held on Monday, 31^st of July.

Registrations for the event are free. If you are willing to attend, just send

a mail to dharmeshmm@owasp.org as a confirmation.

If you would like to speak at the event or sponsor, contact me ASAP.

Theme of Meeting: Securing Web Services

Details of the Meet:

Time: 03:00 PM - 05:00 PM

Sponsor and Venue Details:

Tech Mahindra Ltd.

Tech Mahindra Limited. Wing 1, Oberoi Estate Gardens, Chandivali, Andheri (E), Mumbai 400 072, Maharashtra, India.

Details of Event: http://www.owasp.org/index.php/Mumbai

Incase of any queries, please feel free to contact at +91 98670 75327.

Thanks & Regards,

Dharmesh M Mehta | Technology Cell | Unit 183, SDF-6 SEEPZ, Mumbai, India |
(O) +91-22-6695 2222 Ext: 1005 | (M) +91 98670 75327 | www.mastek.com

http://smartsecurity.blogspot.com

Dream as if you'll live forever. Live as if you'll die today. - James Dean

What is STRIDE

Threats faced by the application can be categorized based on the goals and purposes of the attacks. A working knowledge of these categories of threats can help you organize a security strategy so that you have planned responses to threats. STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE stands for:

● Spoofing. Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.

● Tampering. Tampering is the unauthorized modification of data, for example as it flows over a network between two computers.

● Repudiation. Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove.

● Information disclosure. Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. Any of this information can be very useful to the attacker.

● Denial of service. Denial of service is the process of making a system or application unavailable. For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.

● Elevation of privilege. Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.

STRIDE Threats and Countermeasures

Threat	Countermeasures
Spoofing user identity	Use strong authentication. Do not store secrets (for example, passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with Secure Sockets Layer (SSL).
Tampering with data	Use data hashing and signing. Use digital signatures. Use strong authorization. Use tamper-resistant protocols across communication links. Secure communication links with protocols that provide message integrity.
Repudiation	Create secure audit trails. Use digital signatures.
Information disclosure	Use strong authorization. Use strong encryption. Secure communication links with protocols that provide message confidentiality. Do not store secrets (for example, passwords) in plaintext.
Denial of service	Use resource and bandwidth throttling techniques. Validate and filter input.
Elevation of privilege	Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.