[SecurityRatty] tag: code

Null Strings in ASP.NET Declarative DataSource Updates

Fri, 29 Aug 2008 11:42:47 +0000

I just spent about 15 minutes debugging a problem where a document was getting unexpected nulls where empty strings should have been. Indeed controls like the TextBox have code in them that allows you to set the Text property to null and the TextBox will convert that into an empty string. So it's a bit counterintuitive that the declarative data source works the opposite way by default.

When you use a declarative data source to perform a parameterized update that contains string parameters, consider setting ConvertEmptyStringToNull='false' on your elements, because it's true by default! In other words, if a text field contains an empty string, it'll be sent to your declarative data source not as string.Empty, but as null.

Now I don't know about you, but I don't like dealing with nulls if I can avoid it. Especially strings. Unless there's a clear need to have a null state, I avoid them like the plague not only in my database designs but also in my XML schema designs. Hopefully this helps somebody out!

A British Bank Bans a Man's Password

Fri, 29 Aug 2008 06:44:04 +0000

Weird story.

Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.
"I thought it was actually quite a funny response," he said.

"But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate.

[...]

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

Lloyd's claims that they fired the employee responsible for this, but what I want to know is how the employee got a copy of the man's password in the first place. Why isn't it stored only in encrypted form on the bank's computers?

How secure can the bank's computer systems be if employees are allowed to look at and change customer passwords at whim?

Kaminsky flaw prompts DNS server overhaul

Thu, 28 Aug 2008 20:00:00 +0000

One of the companies most at risk from the notorious DNS cache poisoning vulnerability has overhauled security in the latest release of its DNS server software in what looks like a major code rethink.

ColdFusion: Hack Me or Help Me

Thu, 28 Aug 2008 06:13:00 +0000

For your consideration, the endless battle between security and convenience.
Front and center: ColdFusion.
I've been picking on ColdFusion-built apps again a bit lately, and one of my observations has been that consistently, if mismanaged, the verbose error reporting features in ColdFusion can be really problematic.

HIO-2008-0713 JOBBEX JobSite SQLi & XSS
HIO-2008-0729 BookMine SQLi & XSS

Recently, I stumbled on an example of way too much information disclosure in a few sites running a ColdFusion-built CMS. The error reporting was so verbose it included the base path, data source name, database username, and yes, the database password.
I've cleaned it up for the protection of all involved, but here's a screen shot of only 1/4 of the details this site coughed up when I tweaked the input to a calendar date variable.

When I reached out to the developers of this app (always and immediately responsive), they assured me that this was not due to a flaw in the app, but that the "information should be protected, and is by default for our installations" and that the client disabled the security check and turned debugging on. I accept this explanation entirely, but it leads to the classic debate around the dangers of mismanaged debugging features, be they developer added or ColdFusion feature driven. Stupid user tricks are always an issue, but how much rope should they be given to hang themselves? Does error reporting really need to include the database username and password?

Allow me to present a few different perspectives.
First, rvdh's take on Attacking ColdFusion. Developers can learn a lot from this post, if only in that it precisely points out attack vectors. Ronald sums up my concerns aptly:
"As we know, error messages are important. Especially error messages generated by database software we want to inject. This, is useful for obtaining information about table structures that can be a real time-saver for attackers. If the right information is available, attackers do not have to guess database tables and fields anymore, nor having to brute force them. I have never seen so much information regarding the site's structure, used database, table names, drivers, server setup and other information useful for attackers that those of ColdFusion. It almost says: Please Hack Me!"
As I can't presume to improve on this stance, I won't. Well said.

Next, a developer's take on the issue from Joshua Cyr, who has declared it Check Your Error Output Day. Joshua highlights two key points:
1) Do NOT enable the robust errors setting in CF Administrator.
2) Don't forget to remove debugging dump code.
Heed this advice, ColdFusion fans!

One destination that all "secure" ColdFusion paths should lead to is the use of cfqueryparam. Ronald spells it out well mid way through his discussion, and so do the following resources:
coldfusionjedi
Coldfusion Muse

Further excellent resources for ColdFusion security issues:
SQL Injection Part II (Make Sure You Are Sitting Down)
12Robots.com

In closing, security and convenience needn't always be at odds, but often allowing for both requires a higher state of awareness for developers and end-users. Let common sense prevail; perhaps it'll give me less to do in the way of research. ;-)

del.icio.us | digg

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Lasers Could Send World's Most Secure Messages Through Space

Wed, 27 Aug 2008 11:40:02 +0000

New experiments using Heisenberg's uncertainty principle extend the range of quantum cryptography, an advanced method of communicating in unbreakable code. Finding a way to keep snoops from tapping into other people's information is a challenge that has gone to the subatomic level. First proposed in 1984, quantum cryptography (QC) promises to send

SDL and the XSS Filter

Wed, 27 Aug 2008 11:35:00 +0000

Steve Lipner here. When the Internet Explorer team posted the announcement about the XSS Filter feature in IE8 I asked some other members of the SDL blog team “why aren’t we talking about the new XSS Filter feature on the SDL blog?” Bryan and Jeremy said something like “that’s a mitigation that only applies to specific clients and a subset of attacks”. So we didn’t cross-reference IE’s XSS Filter post on the SDL blog at the time. Instead, I agreed to write a subsequent post about the relationship of XSS Filter to the SDL and to the ways that our SDL and security science teams think about improving product security.

For those of you who aren’t familiar with XSS Filter, a brief summary is that it is a client-side defense against reflected cross-site scripting (XSS) attacks. It works by recognizing that reflected XSS attacks inject script into the string that the browser sends to the targeted web server. If the server doesn’t neuter or strip out the injected script, it gets sent back to the browser and executed in the context of the target web page. Bad things then happen. At a high level, XSS Filter remembers the string that the browser sent to the server, and looks at the server’s response to see if any of the script was actually in that string. If it was, then XSS Filter decides that it got there because it was injected by an XSS attack and blocks the script from executing. The rest of the web page renders as usual. This is a vastly oversimplified sketch of XSS Filter – for details, see the post by David Ross, inventor of XSS Filter on the Security Vulnerability Research and Defense blog.

So what does XSS Filter have to do with the SDL? Well, for almost nine years, since XSS was first discovered at Microsoft, we’ve been trying to figure out effective ways to reduce vulnerability to XSS attacks. Our focus has been on improving the ways that web page developers code their pages, and we’ve developed a lot of tools and techniques for making web content safer from XSS attacks and for detecting XSS vulnerabilities in live pages. The SDL requires the use of many of these tools and techniques, and we’re sure we’ve prevented a lot of XSS vulnerabilities from being introduced into Microsoft web pages as a result.

But while we identify (and the SDL requires) measures that allow developers to avoid classes of vulnerabilities, we also look to identify more sweeping solutions that can either 1) eliminate classes of vulnerabilities, 2) reduce their severity, or 3) reduce the likelihood of attacks being successful. The process usually starts from deep understanding of a class of vulnerabilities and attacks, and then we broaden defenses from there. In the case of XSS Filter, David’s years of work researching XSS led him to come up with an approach that blocks many of the most common vulnerabilities to reflected attacks found on the web today. The solution is compatible with existing web pages (doesn’t “break the web”) and thus we were able to enable it by default for users of Internet Explorer 8. Because it’s a client-side mitigation, it will help protect users from attacks even though the sites they visit may be vulnerable to XSS.

Our work on buffer overrun defenses follows a somewhat similar pattern – we started by prescribing coding techniques, banning the use of some APIs, and building tools that detect coding constructs that look like buffer overruns. As we gained a deeper understanding of how buffer overruns can be exploited, we enhanced the /GS compiler flag and added ASLR in a quest to cause classes of exploits to fail even if a buffer overrun remains. We’re not yet close to eliminating the SDL requirements for use of tools and coding techniques, but the SDL also requires the use of the mitigations to reduce the severity of vulnerabilities that slip past. Will we ever get to the point where the mitigating technologies are so strong that we can relax the coding requirements? Maybe not, but we will continue to introduce technologies that reduce the chances of a successful attack.

Similarly, in the case of XSS, even after IE8 ships, the SDL will continue to require the use of safe web site coding practices and tools such as the Anti-XSS library both to protect users of browsers other than IE8 and to provide protection in recognition of the fact that XSS Filter is a mitigation or defense in depth rather than a complete solution. But we’ll also be keeping our eyes open (and doing active research) in the quest for an even more effective defense – whether client or server side – that eliminates XSS for good.

This post is a little far afield from the normal content of the SDL blog, but I thought it was important to provide a picture of the role of security science and security research in defining SDL requirements and in making major improvements in software security. You can read more about our work in security science in the Security Vulnerability Research and Defense blog.

Locked iPhones can be unlocked without a password

Tue, 26 Aug 2008 20:00:00 +0000

Private information stored in Apple's iPhone and protected by a lock code can be accessed by anyone with just a few button presses.

Myspace Cracker Steals Firefox Passwords

Tue, 26 Aug 2008 14:49:03 +0000

A "Myspace Cracking tool" has recently come to light, though if you're considering attempting to crack some Myspace accounts with this:

....then you might want to think again, on account of it not being quite what it seems. This "cracking tool" is only after one persons details: yours. Run it, and you'll see the following (somewhat bizarre) message, which should be your first clue that all is not quite right here:

At this point, your CD tray may well pop open - perhaps in tribute to the Trojans of old that did pretty much the same thing. At any rate, you're certainly not cracking any Myspace accounts, and after a faint grinding from your PC you're left to sit and stare at your desktop, wondering what went wrong. Here's a clue - have a poke around inside the EXE, and some lines of code will likely start to give the game away:

..."Firefox password grabber"? Oh dear.

The observant end-user will notice a .txt file appears on their C Drive, and itcontains all the stored passwords saved via Firefox on their computer:

Click to Enlarge

As you can see, the bad guys here seem to be exploiting a well known password recovery tool for nefarious purposes - in this case, Firepassword. You're probably wondering what happens with the stored login details at this point - well, do some more digging in the code and you'll see this:

Click to Enlarge

The stolen Firefox passwords are sent to an FTP drop set up by the hacker, and every login you had stored in Firefox at that point is immediately at risk. Of course, if you're foolish enough to play around with hacking tools then there's a good chance you're going to get burned sooner or later...

We detect this as FoxPass.