Security Feed

12/17/2008

Microsoft internal SDL tools released to public beta


Today, Microsoft released new tools that supplant a couple of tools I mentioned last week. The first is an update to the Anti-XSS library that is now current with the version we use internally.

The second, a static code analyzer called CAT.NET is an extraordinary tool. If used with some discipline, it can virtually eliminate XSS and SQL injection vulnerabilities in managed code.

From the SDL Blog on MSDN:

Today, we’re very excited to announce the availability of our next version of the Anti-Cross Site Scripting Library (Anti-XSS) v3 BETA as well as Code Analysis Tool .NET (CAT.NET) v1 CTP. Anti-XSS v3 BETA includes performance improvements, localization enhancement as well as a Security Runtime Engine (SRE) that uses an HTTP module to provide a level of protection against XSS for your application without the need to rebuild your code. CAT.NET v1 CTP is a binary analysis tool that can be used by developers to identify some common vulnerabilities that can lead to attack vectors such as XSS, SQL Injection and XPath Injection in your code. [From Announcing CAT.NET CTP and AntiXSS v3 beta]

If you're working in any .NET language on the web, including non-Microsoft languages, you should check CAT.NET out.

, , , , , , , , ,

Posted at 06:04 PM in News, Security, Software | | Comments (0)

|

12/10/2008

Free risk management tools from Microsoft

Following my past post about the Microsoft SDL Threat Modeling tool, I have a list of other free Microsoft risk management tools. I think full disclosure is important up front for this post: I am a Microsoft employee. I am not discounting the value of non-Microsoft tools - I am simply posting a list of tools that I recently compiled for a colleague.

In addition to the SDL Threat Modeling Tool, which is geared toward developers with a limited security background, there's the Microsoft Threat Analysis & Modeling tool. It uses the "DREAD" threat model (Damage potential; Reproducibility; Exploitability; Affected Users; Discoverability) rather than the "STRIDE" model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) that the SDL tool uses. IMHO, the DREAD model is geared more towards risk managers than developers. OWASP documents a couple of other frameworks (including Homeland Security's CVSS) here.

If you want to do large-scale security assessments, there is the Microsoft Security Assessment Tool. It's designed for a much higher-level view (or lower, depending on your perspective) than an either threat model tool.

I'd love to be able to point you to a good attack surface analyzer that looks for misconfigured services and applications, but I don't know of a good comprehensive public tool (though I'd love to find one). Instead, I'll point out a couple of tightly-scoped tools that I'm familiar with.

The MS Baseline Security Analyzer will check patching states. It's probably the tool on the list that's most widely known.

The Best Practices Analyzer Tool for MS SQL Server for 2005 came out recently. There's also an older one for SQL Server 2000.

XSSDetect is a static code analysis tool that identifies XSS vulnerabilities (in case the name didn't give that away). There's a second static code analyzer to battle SQL Injection.

Both of those tools work on compiled assemblies, so in addition to working on VB.NET and C#, they should also work on PHP (via Phalanger), Python (via IronPython) and Ruby (via IronRuby). I think Perl folks are out of luck.

And here's a version of the Microsoft's Anti-XSS libraries for ASP.NET. It's older than I'd expect since this sort of library needs to be actively maintained, but it is certainly better than just relying on html-encode.


Technorati Tags: ,,,,,,,,,,,,,,

Posted at 05:23 PM in Security, Software | | Comments (0) | TrackBack (1)

|

12/03/2008

Threat Modeling at Microsoft

This isn't new, but Microsoft released it's Threat Modeling Tool v3.1 as a public beta a couple of weeks ago. I've been using this tool internally at Microsoft for a bit longer than that, and it is impressive.

Instead of being a comprehensive tool for experts only, this tool makes threat modeling approachable to the average developer with little security background. At its core is a hosted Visio data flow diagramming tool. The tool produces workable diagrams which are then automatically analyzed to suggest common threats.

Adam Schostack presented a demo of the software at the Bluehat Conference in October as part of a point/counterpoint session (Adam begins about halfway through). Don't blame me for being too far behind, though -- the video was just posted to technet before Thanksgiving.

, , , , ,

Posted at 06:54 PM in Security, Software | | Comments (2)

|

09/18/2008

TSA doesn't believe in insider threats

Dave Lewis at Liquid Matrix has pointed out an article from Denver 9 News. Apparently, TSA employees no longer have to go through security when reporting to work -- they are allowed to take backpacks purses, and other personal items into secured areas without inspection.

From Denver 9 News:

The TSA says the new policy is part of a risk-based security screening process where there are multiple layers of security
"We have a finite amount of resources and we allocate those where we think the risk is greatest," said Harmon. "It's based on intelligence; it's based on knowledge of our people and our processes."
The TSA says its employees have background checks before they are hired. TSA policy says employees are supposed to report any other arrest, including an alcohol related arrest, within 24 hours or, due to circumstances beyond their control, as soon as possible after that. [From 9NEWS.com | Colorado's Online News Leader | Airport screeners bypassing security]

Most companies vet their employees as part of the hiring process as well -- the TSA isn't unique there. I certainly had to go through a background check before starting my current position. In my position, secured areas are electronic rather than physical, but the general principals still apply.

I don't have unfettered access to secure areas. There are still access controls, audits, and policies that manage my access. In short, the access rules are designed to minimize insider threats.

Yes, inside attacks are much rarer than external attacks, but the impact is far more severe when the attacks do occur. The insiders know exactly where the valuable targets are and how to exploit them.

Insider threat is real, and TSA has an easy win available to them to -- a policy decision to make employees go through existing security check points.

Posted at 08:10 AM in Security, Systems, Trust | | Comments (0) | TrackBack (0)

|

09/09/2008

UCSB team develops voting machine virus

The Computer Security Group at the University of California Santa Barbara have done an in-depth look at the voting machines used by the State of California and have authored a proof of concept virus.

From UCSB:

In the Summer of 2007, the Security Group of UCSB participated in the Top-To-Bottom Review (TTBR) of the electronic voting systems used in California. This was a first-of-its-kind review, where the evaluators had unprecedented access to the systems' source code, hardware, and associated documentation.

* * *

In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT). [From UCSB: Evaluating the Security of Electronic Voting Systems]

There are currently three publications around this research. A report, a formal paper, and a video.

Here is the video (in two parts):

 

 

Posted at 07:07 PM in Security, Software, Systems | | Comments (0) | TrackBack (0)

|

09/08/2008

Cybercrime first: space station virus

Apparently, NASA is sending unclean builds into orbit leading to a first -- a space worm.

From hungry-hackers.com:

SAN FRANCISCO: NASA confirmed that a computer virus sneaked aboard the International Space Station only to be tossed into quarantine on July 25 by security software.
A "worm type" virus was found on laptop computers that astronauts use to send and receive email from the station by relaying messages through a mission control center in Texas, according to NASA spokesman Kelly Humphries on Wednesday. [From Computer virus goes into orbit | Hacking Truths]

The Dark Visitor blog suggests that the worm is Chinese in origin:

The trojan is also referred to as the kavo.exe virus and is designed to gather information on ten online games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

* * *

Will check more into the origin of this malware later today but all indicators suggest that it could be Chinese. [From The Dark Visitor » Chinese hacker malware infects International Space Station?]

While it may be Chinese, I'm betting it isn't an intentional attack. Unless, of course, Chinese and Korean MMOGs are popular on the space station.

Posted at 08:47 PM in News, Security, Software, Systems | | Comments (0) | TrackBack (0)

|

SDL as meta-security?

It's interesting that the Microsoft Secure Development Lifecycle is approaching XSS attacks in the same way desktop vulnerabilities are tackled.

In a sense, the SDL is metasecurity -- while still addressing direct security issues (individual attacks/vulnerability), the SDL also looks at the process by which applications are written and actually prevents future vulnerabilities from being created. And on the meta-meta-level, the SDL also examines the SDL.

I'm only quoting a small part of the article. Please read the whole thing and follow the links out -- there is a lot of very interesting work being done around XSS at Microsoft right now.

From Steve Lipner via the SDL Blog:

David's years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today. The solution is compatible with existing web pages (doesn't "break the web") and thus we were able to enable it by default for users of Internet Explorer 8. Because it's a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS.
Our work on buffer overrun defenses follows a somewhat similar pattern - we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns. [From The Security Development Lifecycle : SDL and the XSS Filter]

Posted at 06:09 PM in Security | | Comments (0) | TrackBack (0)

|

Carpet bombing and directory poisoning -- an old web attack rehashed

I've been on vacation and then spent time catching up at work, so it's been a couple of weeks since I've been posted regularly. I'm trying to catch up now, so here goes ...

This is an interesting post from CERT . What's most interesting about it is that it's a desktop version of an old web vulnerability where an attacker uploads a code file into an improperly secured directory and then executes it remotely. I'm sure nobody is writing web code like that any longer (right?), but the execution directory thing is apparently still a problem (though Vista fixes it as the source notes).

From the Cert Vulnerability Analysis Blog:

Hey, it's Will. Earlier this year, details about "carpet bombing" attacks were released. Apple addressed the issue by prompting users before downloading files, but recent news indicates that Google Chrome, which is based on Apple's WebKit code, is also vulnerable to the same type of attack. However, some people seem to be missing an aspect of the attack that affects all web browsers.
When loading a DLL, Microsoft Windows looks for the DLL in a certain sequence of directories. The first match for the file name wins. In most cases, Windows will first look for a DLL in the same location as the executable. This behavior is what allows the Apple Safari "carpet bombing" vulnerability to work. If an attacker can place code in a directory that gets searched before Windows finds the "real" DLL, the attacker's code will be executed. [From Vulnerability Analysis Blog: Carpet Bombing and Directory Poisoning]

Posted at 05:55 PM in Security | | Comments (0) | TrackBack (0)

|

09/05/2008

Security book recommendations for PHP developers

After being away from things for a week on vacation, I gave a brief talk last night at the Seattle PHP Meetup. While I don't want to recount the takl as a whole, I did recommend several books to the developers attending. Here they are:

  • OWASP Guide 2005: ($11.45, lulu.com) This freely redistributable book (you can download a copy for free here) is one of the standards. OWASP is a collaborative web security group and this is their outline for best practices.
  • php|architect's Guide to PHP Security ($21.77, Amazon.com) While I don't think this book contains the best writing around, it is a good look at PHP-specific issues. And it includes lots of code examples (code examples are good).
  • Secure Coding: Principals and Practices ($26.95, Amazon.com) This book looks at the entire development lifecycle from design to obsolecense from a security framework. There are lots of Secure Development Lifecycle frameworks. I chose this book because it looks more at the principals in general than at applying a specific framework.
  • Web Application Hacker's Handbook:($30, Amazon.com) This is a fabulous book. While the other text deal with how to secure an application, this one will shop you how insecure code is actually exploited. I think it's important to understand both sides of code security so that we think about things in terms of actual security rather than just following best practices.

Posted at 01:27 PM in Security | | Comments (0) | TrackBack (0)

|

08/22/2008

Google Tech Talk: Cryptography without all the scary math

This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.

What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.

 

 

Posted at 06:05 PM in Privacy, Security | | Comments (0) | TrackBack (0)

|

« Previous | Next »