[SecurityRatty] tag: describes

MSDN Security Issue Articles

Thu, 13 Nov 2008 20:58:00 +0000

Bryan here. The SDL team is well represented in the annual security issue of MSDN magazine – we have three articles that might be interesting to you, given that you read the SDL Blog!

First up is a code review quiz, “Test Your Security IQ”. Put your C/C++/C# security skills to the challenge by reviewing ten tricky code snippets that Michael and I devised. As an added incentive, I’ll post public congratulations here in the SDL blog to the first person who reverses the insecure hash found somewhere in the exam (not to give too much of a hint).

Next up, we have “Agile SDL: Streamline Security Practices for Agile Development”. I’ve been talking about web application security issues in the SDL blog (and in the September issue of MSDN magazine, if you missed it). However, while it’s essential to make sure that web-specific issues are covered in the SDL, it’s equally important to make sure that web development teams – and other Agile development teams – can use the SDL effectively, and the classic, phased SDL approach is not always a good fit for these teams. This MSDN article is the first public look at the new SDL/Agile methodology that we’ve been working on for the last year. This process is currently in beta with some internal Microsoft product teams and online services. We’d love to get some external feedback on it before we release it to the entire company, so please send us your thoughts.

Finally, be sure to check out Michael’s Security Briefs column “Threat Models Improve Your Security Process”. Regular readers of this blog know how important threat modeling is to secure development. This article describes methods of using threat modeling not just to identify security vulnerabilities outright, but how to use it to make other SDL activities such as fuzzing and reducing attack surface more effective.

Three articles are more than enough for one team for one month! But be on the lookout for more articles from the usual SDL suspects in the near future. As always, keep watching this space for details.

White House Network Hacked By Chinese On Multiple Occasions

Fri, 07 Nov 2008 21:03:27 +0000

According to Demetri Sevastopulo from Financial Times, Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials. US officials say Chinese hackers have raided White House email archives multiple times. The Financial Times reports some people it describes as “US government cyber experts” suspect the raids were [...]

Get a Windows Server on the Fly in the Amazon Cloud

Fri, 24 Oct 2008 08:26:49 +0000

Amazon's EC2 (Elastic Compute Cloud) was cool enough with its initial platform. Now it is offering Windows support on the EC2 platform. Thanks to Jesper's Blog for the tip. Like a lot about the EC2, this turns out to be really convenient for developers. Did you ever want to develop or test a Windows Web app on a real server, not just your test desktop, and not have to get a real server to do it? Now you can just virtualize up a Windows server in the cloud and it's yours: A virtual server running Windows Server 2003, SQL Server and all the .NET stuff preinstalled. A security white paper from Amazon describes the configuration of the Windows system images available and their differences from a standard Windows Server installation. Setup from the user's standpoint looks really easy; Jesper said it took him 5 minutes. A Security Configuration Wizard walks you through an attack surface reduction process, which helps you to turn off services that are not needed and restrict communications channels that should not be permitted. In the end you can save the image and spin off new ones to meet your new standards as necessary. EC2 is a great development for developers and a great way for Amazon to leverage all the work it has put into building its infrastructure. I see a lot of opportunities available.

Do you have poorly trained security guards working for you? If you do, al-Qa'ida may be watching

Sun, 19 Oct 2008 15:37:00 +0000

It seems strange that the Department of Homeland Security would be mentioning a recording by deceased al-Qa'ida operative Yousef Al-Ayeeri made before his death in 2003.

Eventhough DHS said there was no credible or specific information, they still deemed it necessary to release the note because it is "important for local authorities, building owners and operators to be aware of potential attack tactics".

Apparently, Al-Ayeeri made the recording to encourage other al-Qa'ida operatives to take over a publicly accessible building(s) in the U.S. and destroy it by using a series of strategically placed explosives.

What makes the plan especially interesting to a security consultant is the way Al-Ayeeri describes the ease with which operatives would be able to take over public buildings. His recording advises that it will be quite easy due to "poorly trained and lightly armed or unarmed security guards".

What does this tell us? It tells us that terrorists are carrying out surveillance right under our noses and taking notes when they observe a breach of security or "poorly trained security".

Hopefully none of you reading this have "poorly trained security" working for you. If you did, how would you know? Perhaps it is time to have a security review and or/survey of your premises conducted.

They say "dead men can't talk", but it nearly seems like this one is sending out a warning.

Intego warns against MacGuard malware

Thu, 16 Oct 2008 20:00:00 +0000

Intego, makers of VirusBarrier and other security software for the Macintosh, issued a security warning for Mac users on Friday advising them against the use of an application called "MacGuard." The company describes MacGuard as "a rogue program."

Threat Modeling at Microsoft

Mon, 13 Oct 2008 02:21:53 +0000

Interesting paper by Adam Shostack:

Abstract. Describes a decade of experience threat modeling products and services at Microsoft. Describes the current threat modeling methodology used in the Security Development Lifecycle. The methodology is a practical approach, usable by non-experts, centered on data ow diagrams and a threat enumeration technique of 'STRIDE per element.' The paper covers some lessons learned which are likely applicable to other security analysis techniques. The paper closes with some possible questions for academic research.

NERC Critical Infrastructure Protection Will Always Change with the Evolution of Technology

Thu, 09 Oct 2008 20:00:00 +0000

As Stewart Brand once said "Once a new technology rolls over you, if you're not part of the steamroller, you're part of the road". I think this quote describes perfectly the role in which IT departments are playing in implementing security programs, specifically those attributed to the NERC Cyber Security Standards...

Revealing Packed Malware

Wed, 08 Oct 2008 00:42:07 +0000

In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) scan engines becomes an important reactive security function. However, modern malware can easily bypass AV scanners using packers, which can hide malicious file contents from detection. This article describes how packers work, and the three most commonly used unpacking methods. The authors describe the logic flow and behavior of Upack, a popular packer, as an example of a software packer.

Virtual Machine Introspection: Observation or Interference?

Wed, 08 Oct 2008 00:42:05 +0000

As virtualization becomes increasingly mainstream, virtual machine introspection techniques and tools are evolving to provide methods to monitor the behavior of virtual machines. This survey classifies and describes current VMI introspection technologies according to three primary classifications: threat monitoring versus interference, semantic awareness, and event replay. The authors also describe the Virtual Introspection for Xen (VIX) tool suite, which was developed to address key VMI requirements, and outline key research areas for future investigation.

The McAfee Secure Standard: Sort Of

Tue, 07 Oct 2008 19:47:00 +0000

I need your help.
I am in receipt of the McAfee Secure Standard, drafted to transparently describe the McAfee Secure service, as promised during my meeting with Joe Pierini and Kirk Lawrence of McAfee some weeks ago. I admit my attitude has soured since last I discussed it here, as the Standard is not yet ready for public release (I last said 2-3 weeks and that was five weeks ago), but bear with me. I can't publish exact quotes from the Standard, as I've promised not to, but let me give you insight on the upside, then the downside.

The upside includes all the transparency we'd hoped for. You'll read the McAfee Secure Standard and know exactly where they stand with regard as to what can be expected of the McAfee Secure Service. My discussions with Joe Pierini have been productive and respectful, he means well, and I believe he will try to drive the greater McAfee leadership to officially incorporate suggestions made in this blog.
I have even had the pleasure of reading a Researcher/Finder Policy that very succinctly describes what researchers can expect when they submit vulnerabilities found in McAfee Secure sites. That's all good stuff and to be applauded.

Now for the downside.

The McAfee Secure Standard will draw a clear distinction between "enterprise" customers and all the Ma & Pa websites who have so loved McAfee Secure / ScanAlert Hacker Safe for conversions.
The most glaring and painful distinction for me is this. While enterprise customers will have a clearly defined time line in which to remediate script injection vulnerabilities like XSS and open redirects, before losing their McAfee Secure badge, the Ma & Pa sites will have absolutely no requirement to fix their XSS issues. XSS vulnerabilities and the McAfee Secure badge will remain consistent on all those sites that care more about "convincing" their customers that they're secure with a McAfee Secure badge; a badge that, by its own pending standard, will contradict what we know to be truly secure.

My views are clear. I have made every effort to convince McAfee that this stance is counter intuitive to good web application security standards. I believe that, in their own way, they are listening. So here's your chance.
1) Is transparency enough?
2) Is holding only enterprise customers accountable acceptable?
3) Should ALL McAfee Secure customers be expected to fix their vulnerabilities, even if on different timelines?
4) What else do you want McAfee to hear, in the form of constructive feedback only?
I will publish all well written, thoughtful comments here. Let's keep it positive and see if we can help convince McAfee that script injection vulnerabilities and McAfee Secure can't exist in the same physical space. Like matter and anti-matter. ;-)
The floor is yours...

del.icio.us | digg | Submit to Slashdot