Latest Phishing Site of ICICI Bank

Hi All,

I just came across a phish email created for ICICI Bank Users.
Sharing the screen-shots for fun. Have reported the fake site to antiphishing.org

The 'Phish' email:

Phishing Site Link: http://adamthompson.org/infinity.update/BANKAWAY.sessionid/update;RetUser/Y&AppSignOn.icicibank.co.in/index.html

Application security should be addressed in initial SDLC stages

IT applications are akin to the organization's blood vessels because they carry critical information and execute key processes. However, due to a peripheral approach to security, application security is often neglected.

Applications require strong embedded security to prevent breaches. Hence enterprises should start to address security at the software development lifecycle's (SDLC) early stages. There are several ways to go about this.

Education: Because business users or customers are often unaware about security risks, developers and the application architect should be familiar with possible security threats and application attacks. These personnel should inculcate the application security culture throughout the lifecycle.

If you estimate risk correctly from the beginning, it will also help you to save on costs. According to an industry statistic, if the cost of fixing a bug at design phase is X, post the release it would cost 60X. The cost of fixing bugs increases during each stage of application development. Developers can be trained on dummy applications to help them learn how attackers operate.

Build a threat model: A threat model for your application is essential to identify the involved risks, possible attack scenarios, controls and risk mitigation costs. To start, you should understand the application's utilization. You can categorize an application based on usage (internet or intranet), data sensitivity (sensitive or non-sensitive) and the technology used (web based or non-web based application). These parameters help you categorize the application security level as high, medium or low. Based on this classification, security controls are integrated during the application design process.

Read more on SearchSecurity.TechTarget.IN >>

Can your Exchange Administrator view your mailbox

Hi All,

I have been trying hard to figure out whether the Microsoft Exchange 2007 Administrators can view a user's mailbox? If so, how is this audited?

Unfortunately, I believe there is no real way of doing this in Exchange Server 2007. The closest you'll get would be to experiment with diagnostics logging settings on MS Exchange IS Private and then trolling the application event log for the events created when someone logs onto a secondary mailbox. But as yet, I haven't heard of anyone who has figured out a way to do this which meets typical audit requirements.

In Exchange 2003, I know we could do this very well. Just go to:

https://exchange2003/exchange/username

Put in our administrator user/pass, and login to that users mailbox and you could view his/her mailbox.

Interesting thingi isn't it??

No Built-In Response.HTMLEncode in Java

Why doesn't Java have a built-in HTMLEncode function??

With security vulnerabilities like Cross-Site Scripting (XSS) luring around since so many years, I am wondering why hasn't Java yet come up with its own function for Encoding chars which are malicious.

Developers have to rely on either writing their own functions to encode characters to prevent XSS or use Open-Source libraries available to encode.

I believe 'Sun' ... sorry...'Oracle' should think of having this simple thing built-in.

What say folks?

Dev Tools for Security Testing

I have been realizing that even the development tools can be good for initial security testing !!
Let me explain what I mean by this.

For instance, I have been working on a highly sensitive application (in defense sector) and this is a supposedly a Thick Client application. Developed using Windows Forms and the latest technologies of Messaging, this application can be tested for security by the development tool like Visual Studio features itself.

Most of the security testing include Data Validation checks. Input Validation, Output Validation, SQL Injection, etc are few checks related to data validation. These checks can be done using the Visual Studio IDE itself where the values for the application can be changed and checked if the application passes the validation check.

Simple Steps in a Typical Scenario:
1. My dev teams says they have performed the validation both at the client-side and server-side code to ensure application security. However, this needs to be checked.
2. So, if I pass valid values at the application client side, debug the application at server-side to change the values passed to check if the server-side validation actually fires the validation, my job is done.
3. Why would I choose such a method? because typically other than application sending request over HTTP, it is "really" tough to intercept the request sent from the client machine to the server and modify the request parameters for security mis-use cases.

IMO, close to 60% security checks could be easily done by using the dev tools debug features itself and it proves really useful if the application sends requests in non-HTTP protocol.

Botnet Attack Details from Kaspersky

One of the good folks over at Kaspersky Lab, Yury Namestnikov, has written a great white paper about the worldwide botnet “industry.” The story was picked up by Computer Weekly which did a good summary of it.

The financial “highlights” of the ill-gotten gains from botnets (From Computer Weekly):

• Hiring a botnet for DDoS attacks costs from $50 to thousands of dollars for a continuous 24-hour attack.
• Stolen bank account details vary from $1 to $1,500 depending on the level of detail and account balance.
• Personal data capable of allowing the criminals to open accounts in stolen names costs $5 to $8 for US citizens; two or three times that for EU citizens.
• A list of one million email addresses costs between $20 and $100; spammers charge $150 to $200 extra for doing the mailshot.
• Targeted spam mailshots can cost from $70 for a few thousand names to $1,000 of tens of millions of names.
• User accounts for paid online services and games stores such as Steam go for $7 to $15 per account.
• Phishers pay $1,000 to $2,000 a month for access to fast flux botnets.
• Spam to optimize a search engine ranking is about $300 per month.
• Adware and malware installation ranges from 30 cents to $1.50 for each program installed. But rates for infecting a computer can vary widely, from $3 in China to $120 in the US, per computer.

And what makes this all possible? There are tens of millions of PCs available to botnet operators because of bad computer security on machines in homes and bad security practices by the people who use them.

Computer Weekly story: “Kaspersky reveals price list for botnet attacks”

Original white paper here. “The economics of Botnets”

Isn't that Impossible?

Not every organization and their people know about software security issues nor do they respect the same.

In most of my workshops conducted with developers for secure coding, I often hear the proclamation, "Isn't that Impossible..." and then the drama starts...

Many developers do not understand how the web works
• “Users can’t change the value of a drop down”
• “That option is greyed out”
• “We don’t even link to that page”

Many developers doubts attacker motivation
• “You are using specialized tools; our users don’t use those”
• “Why would anyone put a string that long into that field?”
• “It’s just an internal application” (in an enterprise with 80k employees and a flat network)
• “This application has a small user community; we know who is authenticated to it” (huh?)
• “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”

Many developers do not understand the difference between network and application security
• “That application is behind 3 firewalls!”
• “We’re using SSL”
• “That system isn’t even exposed to the outside”

Many developers do not understand a vulnerability class
• “That’s just an error message” (usually related to SQL Injection)
• “You can’t even fit a valid SQL statement in 10 characters”

Many developers cite incorrect or inadequate architectural mitigations
• “You can’t execute code from the stack, it is read-only on all Intel processors”
• “Our WAF protects against XSS attacks” (well, clearly it didn’t protect against the one I’m showing you)
Developer cites questionable tradeoffs
• “Calculating a hash value will be far too expensive” (meanwhile, they’re issuing dozens of Ajax requests every time a user click a link)

There would be dozens more. The point that is developer education for security is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don’t teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause.

Looking for better solution(s)

It's been 5 years that I have been looking over Application Security issues. It makes me wonder when I find myself and many others still looking out for some unsolved or better security solutions. Certain issues where we have broken our heads to get a solution, but at the end it hasn't been "enough" secure.

I thought it might be interesting to post my list of such issues for others to see things and get opinions on the same.

Still Looking for better (Secure) solutions for following points:
1. Implementing a strong Key Management solution for PCI Compliance. Customers trust products which can help achieve this compliance, however do not trust the bespoke implementation. I strive to get this done !!

2. Develop a better CAPTCHA mechanism to defend robots. A believe a real world user hates the current image version displayed. It has to be simple and secure.

3. Get the NAT'ed IP address of the user using HTML or Javascript.

4. Strong solution to prevent users from getting on to fake sites (Phishing) without much of user education.

5. Developing an Effective and Manageable Web Application Firewall which can be at least a bronze bullet (if not a silver bullet) for Web Security. :)

6. Designing security for social networking sites where a feature could be exploited to be a flaw.

My Top Excuses for Not Fixing Security Defects

Here are the TOP excuses/reasons I have come across from people who would not want to fix a critical or severe security defect:

1. Functionality is prioritized before security.
"Doesn't matter if the application can be accessed by unauthorized users, but the application should be working as we need to GO LIVE !!"

2. Ahh !! We do not need to be compliant to that level of security.
"Lack of basic security measures required for an application."

3. The application will be replaced soon with newer systems. Why bother to change now??
"The system owners with no concrete plan of replacing the system in next phase pounce with this excuse for not fixing the defects at this moment."

4. The security solution is conflicting with the business requirement.
"Remember the requirement is to email the password to the user in clear text. Ahh !! a defect in requirement itself."

5. Inadequate reach of security risk to the customer.
"The software vendor realizes the importance of security and the risks involved, but unfortunately his Point of Contact at the Customer side is a non-technical guy who doesn't realize the importance equally and denies a change."

Microsoft Security Intelligence Report v6

Microsoft has released the latest version of the Microsoft Security Intelligence Report (SIRv6), examining industry-wide software vulnerability disclosures, Microsoft vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

I understand that some of you may not wish to read a 150 page technical analysis document, except as a way to fight off insomnia. Because of that, if you go over to the main SIR page at www.microsoft.com/sir, there is also a "Key Findings" document that is much more concise and provides a nice summary of the findings from each section.

Report: http://www.microsoft.com/security/portal/sir.aspx

Spam - It also impacts the environment

McAfee has released The Carbon Footprint of Email Spam Report. The study looks at the global energy expended to create, store, view, and filter spam across 11 countries: Australia, Brazil, Canada, China, France, Germany, India, Mexico, Spain, the United States, and the United Kingdom. The report correlates the electricity spent on spam with its carbon footprint, because fossil fuels are by far the largest source of electricity in the world today. Since emissions cannot be isolated to one country, the study averages its findings to arrive at the global impact. Key findings include:

• The average greenhouse gas (GHG) emission associated with a single spam message is 0.3 grams of CO2. That’s like driving three feet (one meter); but when multiplied by the yearly volume of spam, that amount is equivalent to driving around the earth 1.6 million times.
• Much of the energy consumption associated with spam (nearly 80 percent) comes from users deleting spam and searching for legitimate email (false-positives). Spam filtering accounts for just 16 percent of spam-related energy use.
• Spam filtering saves 135 terawatt hours (TWh) of electricity per year. That is equivalent to taking 13 million cars off the road.
• If every inbox were protected by a state-of-the-art spam filter, organizations and individuals could reduce today’s spam energy by 75 percent or 25 TWh per year, the equivalent of taking 2.3 million cars off the road.
• Countries with greater Internet connectivity and more users, such as the United States and India, tend to have proportionately higher emissions per email user. The United States, for example, had emissions that were 38 times that of Spain.
• While Canada, China, Brazil, India, the United States and the United Kingdom showed similar energy use for spam by country, Australia, Germany, France, Mexico, and Spain came in about 10 percent lower. Spain had the lowest figure, with both the smallest amount of email that was received as spam and the smallest amount of energy use for spam per email user.

Not only is spam related to cybercrime and a nuisance, but it also impacts the environment. Download the study here. It’s worth a read.

How to Protect Your PC from Malware Infection

How to Protect Your PC from Malware Infection

Malware or malicious software is a program or a file which is harmful to your computer.

These programs have the capability to enter your computer system without your knowledge or consent and cause errors leading to system slow down, crashes and loss of data.

In the United States alone, there are over 60 million computer users who are affected by virus, spyware or some kind of malicious software. Almost everyday a new malware is being released into the cyber world making it easier for the online criminals to make attempts to steal financial information, important data or personal identities. Anti-malware tool manufacturers try to keep up with these new malware by constantly releasing updates and advanced antivirus and antispyware programs.

On the other hand, the response to this huge problem by computer owners is usually delayed. Most of the users wake up to the seriousness of the problem when their computer has already started to show signs of infection, like error messages, system slow downs, and frequent freezes and system crashes. Even then, user response is mostly to take care of the immediate problem, rather than to create a robust defense mechanism for their computer. Over 62% of computer owners surveyed have inadequate protection against malware. This essentially means that either they do not have anti-virus and anti-spyware tools or they do not use or update them regularly.

Protecting your System against Malware

It is essential for you to protect your system from all kinds of malicious software programs, such as the d.exe and aspimgr.exe files. When a system is infected, it is quite expensive and time consuming to restore it to its original condition. Furthermore, you stand the chance of losing a large amount of your data, and if your PC is on a network, other connected computers may become affected as well. At times, these programs come disguised as legitimate Windows files, such as iexplore.exe and alg.exe, and this makes it quite difficult to detect and remove these malicious files manually.

It is humanly impossible to make your computer 100% secure, but by taking simple precautions and continuously updating your computer you can reduce your risk considerably.

The first step in protecting your system is to install reliable and advanced Anti-Virus and Anti-Spyware solutions. It is advisable to run anti-virus and anti-spyware scans on a regular basis. You must also update your tools on a regular basis because manufacturers release new definitions almost daily.

You can also make your system more secure by installing a Firewall. A firewall can be a hardware device or a software application that sits between your computer and the Internet. It filters out the information you send and receive on your computer. In other words, the firewall receives and inspects all incoming and outgoing data. The tool allows you to choose program access permissions on your computer, which to a large extent prevents malware infiltration and unauthorized access to your system.

It is also highly advisable to regularly update your Windows software on a regular basis by using the Windows Update feature, live update features of third-party software, and a reliable driver scanner tool. You must also scan your registry on a regular basis to ensure that no malware data stays within it. You can do this easily and efficiently by using a reliable registry cleaner tool.

How To Avoid PC Errors And Boost Computer Performance

How To Avoid PC Errors And Boost Computer Performance

Are you sick and tired of the frequent error messages that keep showing up on your PC?


Would you like to learn how to avoid annoying computer errors, without spending hundreds of dollars?


If your answer to these questions is yes, you do not need to give up hope just yet. First, you are not alone and are a part of a majority of computer users who are feeling overwhelmed by these computer errors and how these problems are damaging computer performance. Secondly, you must understand that you will not find a permanent solution to computer errors by just hoping that errors do not happen or by calling in the computer experts for your rescue every time you encounter an error. The only solution to these problems is to confront these errors head-on. This includes understanding why these errors happen, how they can be avoided and what to do when errors show up, even after you have taken all the necessary steps. To perform these tasks, you will need the services of a few useful tools that are critical in avoiding and fixing frustrating computer errors.

Disable Unwanted Startup Programs. Quite often, when you install software programs on your computer, they configure a related process to automatically start at system startup. For instance Osa.exe launches at system startup to enable quick access to Microsoft programs. The program is seldom used and most of the time, the only task it does is to feed on your system resources. To disable osa.exe and other such unwanted processes from starting at system startup, you may either use the System Configuration Utility (msconfig) that comes with your Windows operating system or use an easy-to-use third-party startup program manager tool.

Ensure that your User Profile is Not Corrupt. Many files, such as csrss.exe cause high CPU usage problems that slow down your computer if the user profile for the user account with which you are logged on to the system is corrupt. If this is the case, you can resolve the problem by deleting your current user profile and creating a new one. Before deleting your corrupt user profile, remember to make a backup of your files including your emails, address book, favorites, and files stored on your Desktop.

Scan and Clean Malware Regularly. Many errors, such as exe errors and runtime errors are caused due to virus and spyware infections. To fix exe error and other error messages generated by malware and to prevent them from occurring in the first place, it is essential that you use efficient antivirus and antispyware tools to scan and clean all unwanted malicious data. To ensure that these tools are effective, make sure to update them with the latest definitions on a daily basis.

Clean and Defrag your Hard Disk. Low disk space errors and slow computer problems are common on computers with a filled up, cluttered and fragmented hard disk. To prevent this situation, you must use the Disk Cleanup and Disk Defragmenter tools at least once a month to clean junk files and defrag your hard disk to make it contiguous. This will not only prevent errors, but will also considerably speed up your PC.

Clean and Repair the Windows Registry. Finally, make it a point to get a reliable registry tool and use it at least once a month to scan, clean, and repair unwanted and corrupt registry entries.

Does the code use MapPath?

Review code for the use of MapPath. MapPath should be used to map the virtual path in the requested URL to a physical path on the server to ensure that cross-application mapping is not allowed.

The application should not contain code similar to the following example.

string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath);

Instead, the application should contain code similar to the following.

try
{

string mappedPath = Request.MapPath( inputPath.Text, Request.ApplicationPath, false);
}

catch (HttpException)
{
// Cross application mapping attempted.
}

Do You Use the HttpChannel?

If you use the HttpChannel for .NET remoting, you should prefer IIS as the host for the remote component because the component is loaded in the ASP.NET worker process. The ASP.NET worker process loads the server garbage collector, which is more efficient for garbage collection on multiprocessor machines. If you use a custom host, such as a Windows service, you can use only the workstation garbage collector. The HttpChannel also enables you to load balance components hosted in IIS.

Web Services : Brokered Authentication

Context
A client needs to access a Web service. The Web service requires the application to present credentials for authentication so that additional controls such as authorization and auditing can be implemented.

Problem
How does the Web service verify the credentials that are presented by the client?

Forces
Any of the following conditions justifies using the solution described in this pattern:

· The client accesses additional services, which results in the need for a single sign on (SSO) solution. Without a single sign on solution, the client may be forced to authenticate prior to every Web service call or cache the user's credentials within the application. If the user's credentials include a password, caching the password is not recommended because it may pose a security risk.
· The client and the Web service do not trust each other directly. The client and the Web service may not trust one another to manage or exchange shared secrets securely. Establishing trust directly between a client and Web service often requires out of band interactions that can hinder clients and services from interacting dynamically.
· The Web service and the identity store do not trust each other directly. The Web service may be unable to communicate with the identity store directly, because of access control restrictions, network restrictions, or organizational policy.

The following condition is an additional reason to use the solution.

· The client and Web service share a standard access control infrastructure. You can simplify the development of new Web services by standardizing and centralizing the issuance and verification of credentials. You can also centralize the management of data associated with credentials; this reduces the costs associated with identity management.

Solution
Use brokered authentication where the Web service validates the credentials presented by the client, without the need for a direct relationship between the two parties. An authentication broker that both parties trust independently issues a security token to the client. The client can then present credentials, including the security token, to the Web service.

Participants

Brokered authentication involves the following participants:
· Client. The client accesses the Web service. The client provides the credentials for authentication during the request to the Web service.
· Service. The service is the Web service that requires authentication of a client prior to authorizing the client.
· Authentication broker. The authentication broker authenticates clients and maintains authoritative control over security tokens. It also vouches for the client by issuing it a security token.
· Identity store. The entity that stores a client's credentials for a particular identity domain.

Process
1. The client submits an authentication request to the authentication broker.
2. The authentication broker contacts the identity store to validate the client's credentials.
3. The authentication broker responds to the client, and if authentication is successful, it issues a security token. The client can use the security token to authenticate with the service. The security token can be used by the client for a period of time that is defined by the authentication broker. The client can then use the issued security token to authenticate requests to the service throughout the lifetime of the token.
4. A request message is sent to the service; it contains the security token that is issued by the authentication broker.
5. The service authenticates the request by validating the security token that was sent with the message.
6. The service returns the response to the client.

There are different types of authentication brokers. Each type uses different mechanisms to broker authentication between a client and a service. Common examples of an authentication broker include the following:
· X.509 PKI
· Kerberos protocol
· Web Service Security Token Service (STS)

Benefits
The benefits of using the Brokered Authentication pattern include the following:
· The authentication broker manages trust centrally. This eliminates the need for each client and service to independently manage their own trust relationships.
· Solutions built around brokered authentication with a centralized identity provider are often easier to maintain than direct authentication solutions. When new users who require access to any of the clients or Web services are added to the identity store, their credentials are maintained in one central point.
· Two parties participating in brokered authentication do not require prior knowledge of one another to communicate. If a client is modified to call a Web service it has never used before, the Web service requires no changes to its configuration or data to authenticate credentials presented by the client.
· Trust relationships can be established between different authentication brokers. This means that an authentication broker can issue security tokens that are used across organizational boundaries and autonomous security domains.

Liabilities
The liabilities associated with the Brokered Authentication pattern include the following:
· The centralized trust model that is used by Brokered authentication can sometimes create a single point of failure. Some types of authentication brokers, such as the Kerberos Key Distribution Center (KDC), must be online and available to issue a security token to a client. If the authentication broker somehow becomes unavailable, none of the parties that rely on the authentication broker to issue security tokens can communicate with each other. This problem of a single point of failure can be mitigated by implementing redundant or back-up authentication brokers, although this increases the complexity of the solution.
· Any compromise of an authentication broker results in the integrity of the trust that is provided by the broker also being compromised. If an attacker does successfully compromise the authentication broker, it can use the authentication broker to issue security tokens, and conduct malicious activity against parties that trust the authentication broker.

Security Considerations
Security considerations associated with the Brokered Authentication pattern include the following:
· Claims held in security tokens often contain sensitive data, and must be protected in transit, either by using message layer security, or transport level security.
· Security tokens must be signed by the issuing authentication broker. If they are not, their integrity cannot be verified. This could result in attackers trying to issue false tokens.
· A Time of Change/Time of Use vulnerability may exist if the client's account status, identity attributes, or authorization attributes are modified by an account administrator. If these changes are not reflected in the security token, it creates a vulnerability that may lead to invalid clients interacting with the service with elevated privileges.

Social Networking Sites – Will the risks increase?

Social Networking sites such as Orkut, Facebook, MySpace have become household names in the recent times. The networking on internet has been experiencing a drift from the old networking sites such as classmates.com to “Web 2.0” sites such as Orkut. The crux still comprises of online user communities sharing information, discovering new contacts and reconnecting with older ones.

The platform in the social networking sites grows via user contributions which are powered by communication channels such as email, chat, message boards. Like-minded individuals can share information and interest and provide feedback and reviews. These sites contain a warehouse of information that can be mined and analyzed. More than 3 years after Facebook was attack by a widespread social networking worm, many sites did patch old vulnerabilities. But the problem has not gone away. While the site owners are gaining profits from this explosion of information correlation, attackers are too seeking benefit from this arrangement. These sites have been hosts to worms, phishing attacks, identity theft, spam and other malware exploits.

The changing times might bring in higher level of integration of these applications with cellular networks too. Mobility and location aware applications might soon dominate on these apps. Cell towers and GPS services might be able to pass your information to whomsoever you wish. The increased smartness in the applications might mean that not only local business and entertainment might use this information to attract you, but you might also be able to meet your friends in the same area of your social network or thrill you by online dating service. The DTH services might also become a social networking hub. While watching your favorite TV programs, you might also be able to see what your friend is watching and chat and review the program rating. Each time a user visits a site; clicks on a link, rate a blog, or chat on specific content, the site will gain intelligence about the user and enhance his social network.

Increased collaboration and sharing of information also increases the risk for an individual. The user typically exposes his/her taste in terms of profile, be it liking a TV channel program, movie, books, celebrity gossips, workplace drama, geek gadgets, etc. The key component of social networking site is high amount of open information of the user. User privacy is at highest risk too because of information correlation and location tracking issues. Many of them may not opt for such services. However, when users see a benefit from using this service they will volunteer by providing little information.

As the security researchers and site owners are aware of security and privacy issues involved in these sites, they try to encapsulate the information at level of city or state for example. Unfortunately the bad guys will still be hanging around with the risk of vast information falling in hands of bad guys.

Spam based attacks have the potential to disrupt these social networking sites as they have been advancing today. The spam exploits will become more convincing social engineering attacks with all this data. Social botnets are another major threat to the social networking sites which can contaminate the site content with fake profiles and testimonials. Security in these sites will depend heavily on server-side defenses which might need to scan all incoming and outgoing traffic and snoop for malicious code.

To conclude, social networking sites will be rapidly expanding, adding user base and functionality and be able to mine and intelligently use user profile, security challenges will be both compelling and threatening.

How to Authorize Declaratively : WCF 3.5

Declarative authorization can be added to application code at design time by specifying required access for a particular method or class declared as an attribute on the operation. Declarative role-based authorization is best for authorizing access to WCF at the operation level. Declarative authorization can be added to application code at design time by specifying required access for a particular method or class declared as an attribute on the operation.

Authorize windows groups declaratively by adding the PrincipalPermission attribute above each service method that requires authorization. Specify the Windows user group required to access the method in the Role field.

[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
return a + b;
}

The username/password combination supplied by the client will be mapped by the WCF service to a Windows user account. If the user is successfully authorized, the system will next check to see if the user belongs to the group declared with the PrinciplePermission role. Method access will be granted if the user belongs to the role.