Fast Loading Thesis Blogger Template

Showing posts with label Security. Show all posts

Browsers, Security

7 HTTPS myths debunked

HTTPWatch Blog has a nice article debunking these HTTPS myths -

Myth #1 – My Site Only Needs HTTPS for the Login Page
Myth #2 – Anything can go in Cookies and Query Strings with HTTPS
Myth #3 – HTTPS is Too Slow
Myth #4 – New SSL Certificates Have to be Purchased When Moving Servers or Running Multiple Servers
Myth #5 – Each HTTPS Site Needs its Own Public IP Address
Myth #6 – SSL Certificates are Expensive
Myth #7 – HTTPS Never Caches

Also see:
A Web App Is As Secure As You Make It & the Browser It Runs On
Prevent identity theft with HTTPS browsing

ASP.NET, Security, Tools, WebApps

Free WebApp Security Testing tools

Performance & Security are non-functional requirements which cannot be taken for granted.

Here's a compilation of Security testing tools for Web apps, drawn from an answer on the Pro WebMasters StackExchange forum & other sources -

Netsparker Community Edition - detects SQL Injection, XSS & other vulnerabilities
Watcher - Fiddler plugin that works as a passive-analysis tool
Microsoft Web Protection Library (WPL)
Web Application Configuration Analyzer (WACA) - analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.
AntiXSS 4.0 - protects ASP.NET web-based applications from XSS attacks
CAT.NET
HP Scrawlr - scans for SQL injection vulnerabilities
Exploit-Me - suite of Firefox add-ons
Websecurify - also available as a Google Chrome Extension
Acunetix Free Edition
N-Stalker Free Edition
Google's Skipfish
RatProxy - passive web application security assessment tool
Nikto2 - open source web server scanner
w3af or Web Application Attack and Audit Framework
Arachni
Wapiti
WebScarab

Also see:
Web Performance Analysis & Optimization tools

Security, Tip, WebApps

Prevent identity theft with HTTPS browsing

The grave risk of Internet users unwittingly letting out their private & sometimes confidential details while using unencrypted networks has been brought to focus by at least two startling incidents.

Back in May, Google candidly admitted that its Street View data collection cars inadvertently collected and stored "payload data from unencrypted WiFi networks, but not from networks that were encrypted". More recently a Firefox extension called Firesheep exposed the vulnerability of HTTP browsing in aiding identity spoofing.

Analyzing the Firesheep extension, Jeff Atwood makes the following recommendations to protect yourself -

We should be very careful how we browse on unencrypted wireless networks.
Get in the habit of accessing your web mail through HTTPS
Lobby the websites you use to offer HTTPS browsing.

Gmail enabled default HTTPS access for everyone in January this year. Hotmail lets you turn it on from your Account settings (go to Hotmail Options > Managing your account > Account details & in the Account overview page, choose the "Connect with HTTPS" link under Other options)

Also see: Protect your Twitter and Facebook accounts! How to do it…

ASP.NET, Security

Using ASP.NET? You MUST read this

A security vulnerability (dubbed as 'Padding Oracle' Crypto Attack) has been identified in ASP.NET.

Scott Guthrie has a detailed blog post that you must read & implement the advice in it to keep your ASP.NET applications safe. Excerpts -

This vulnerability exists in all versions of ASP.NET

...all versions of ASP.NET are affected, including ASP.NET MVC.

An attacker using this vulnerability can request and download files within an ASP.NET Application like the web.config file (which often contains sensitive data).

At attacker exploiting this vulnerability can also decrypt data sent to the client in an encrypted state (like ViewState data within a page).

..it also impacts Sharepoint.

This vulnerability impacts ASP.NET resources (not just ASPX pages). You shouldn't need to make any changes to the custom error pages of IIS.

When we issue a patch the workaround won't be required. The workaround right now is a temporary one that can be used until the patch is available to prevent the attack that has been publicly demonstrated.
There are lots of different platform matrixes and localization languages to build/test/verify which is why producing a patch with high confidence enough to deploy automatically across millions of machines takes a bit of time to get right.

Wikipedia definitions of computer security jargon being used in discussions -

Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

A zero-day (or zero-hour or day zero) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer.

Related links:
* StackOverflow: How serious is this new ASP.NET security vulnerability and how can I workaround it?
* Forum discussing this security vulnerability on the official ASP.NET website
* 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
* Discussion on Y Combinator Hacker News

Security

Web Security Tutorials from Google & MS

Google Code University hosts tutorials on a variety of topics including Web Security. A recently added tutorial is called "Web Application Exploits and Defenses". A blog post announcing this has an interesting statement -
The maxim, "given enough eyeballs, all bugs are shallow" is only true if the eyeballs know what to look for.

For web developers interested in security, Microsoft E-Learning offers a two-part course called Microsoft Security Guidance Training for Developers

Also see:
Google Browser Security Handbook
OWASP Development Guide

India, Security

Internet Banking risks - Phishing, Vishing & now SIM-swap frauds

ICICI Bank has been running a Customer Education Series in Indian newspapers & they are one of the few Indian banks that bother to educate the public about banking facts that are not generally known. The columns in the series are available on the Web only as PDFs (AFAIK) & they do not seem to be easily reachable.

I've heard of Phishing & Vishing, but SIM-swap fraud was news to me. Excerpt from a today's column on SIM-swap fraud -

Your mobile phone is now also a convenient banking channel; but it can make you vulnerable to SIM-swap fraudsters if you do not take some simple precautions.

How do SIM-swap frauds occur?
• The fraudster obtains your mobile phone number and bank account details through a phishing e-mail.
• He asks your mobile-phone-service provider for a replacement SIM card under some pretext, like changeover to a new handset or loss of SIM/handset.
• The service provider deactivates your SIM card and gives him a replacement SIM.
• The fraudster introduces a payee into your bank account using the phished data, transfers funds from your account to his and withdraws the money through an ATM.
• All this while, your service provider's alerts don't reach you because your SIM card has been deactivated.

What are the safeguards that should be taken?
• Never respond to phishing e-mails.
• Do not disclose your mobile phone number on websites.
• Change your banking passwords frequently.

If you find your mobile number inactive for an unusually long period or abruptly barred from calls; or if it displays limited access or says the SIM is inactive; contact your service provider without delay and find out the reason.

Security

HOW to log Remote Desktop connection info

Remote Desktop connection is a great utility to access PCs physically away from you with ease. If you are responsible for the security of a Windows machine that can be accessed through Remote Desktop, you have to constantly keep track of the users and their permissions.

To monitor activity of users connecting through RDP, you would have to set up an Audit Policy (see steps). Once set, Security Event Log will note when a remote user logged on or off. From the Event Viewer, a successful Logon/Logoff can be detected by an Event code of 528 and Logon Type of 10

To allow users to connect through RDP, they have to be added explicitly. However, any member of the Administrators group can connect even if they are not listed. A user who no longer requires access should be removed explicitly or his permissions have to be curtailed to prevent any potential abuse. To selectively or wholly remove users, right-click "My Computer", select "Properties", choose the "Remote" tab & make changes accordingly.

On a related note - Did you know, you cannot use Remote Desktop Connection to connect to remote (host) computers running the following editions of Windows Vista:
Windows Vista Starter
Windows Vista Home Basic
Windows Vista Home Premium

Related:
How to Remove Entries from the Remote Desktop Connection Computer Box
Running Windows applets from the command line

Security, SQL Server

5 free SQL Server tools

In the 10th Anniversary edition of SQL Server Magazine, there are recommendations to 5 free tools for SQL Server. Two of them are for load testing and the others for preventing SQL Injection -

SQLQueryStress - query load testing tool written by SQL Server MVP Adam Machanic.
SQL Load Generator - run multiple concurrent queries against SQL Server
HP Scrawlr — This free scanner utility can detect and identify whether your website is susceptible to an SQL injection attack.
URLScan — This security tool actively restricts the kind of HTTP requests that Microsoft IIS will process.
Microsoft Source Code Analyzer for SQL Injection — Static code analysis tool for finding SQL Injection vulnerabilities in ASP code

The following are Kalen Delaney's recommendations for testing before deployment:
1. Test with real data.
2. Test with real data volumes.
3. Test with a real number of concurrent users.

Also see:
SQL Server Performance Audit Checklist
Tips on ASP.NET Hosting & Deployment

ASP.NET, Browsers, Security

A Web App Is As Secure As You Make It & the Browser It Runs On

Did you know about these security issues...

An IP addresses such as 74.125.19.99 can be written in ambiguous ways such as 74.0x7d.023.99 (mixing decimal, octal, and hexadecimal notation) or 74.8196963. This is a trick used in phishing exploits.

SVG natively permits embedded scripts and event handlers. Firefox, Safari, Opera, Chrome support SVG image format.

xssed.com, a site dedicated to tracking publicly reported issues about HTML injection flaws, amassed over 50,000 entries in under two years.

The recently released Browser Security Handbook has revelations like these and a thorough review of browser quirks that can affect security.

This 60-page document provides a comprehensive comparison of a broad set of security features and characteristics in commonly used browsers, along with (hopefully) useful commentary and implementation tips for application developers who need to rely on these mechanisms, as well as engineering teams working on future browser-side security enhancements.

This is a great resource for web developers keen on building secure cross-browser applications. Remember your web application is as secure as you make it and the browser that it runs on.

In the security interest of users and for better standards compliance, developers should encourage users to upgrade to newer browsers.

The Handbook is currently a kind of beta and I hope the final version of this handbook has numbers for the Browser Comparison Tables for better readability & reference and a way to download it as a PDF for offline use.

The Microsoft ACE (Application Consulting & Engineering) Team's blog is another good resource on security for ASP.NET developers.