Most Recent Stories & Articles for Security & Privacy
-
Alright XSS kids...
- Posted On: 9/23/2006
That's quite enough of your XSS toying now, but I will thank you for the reminder. What is it that holds you back from being civil? Don't like my color scheme? Are you a SPAMmer that hates me for getting the word out? I suppose a hacker's legacy sometimes only amounts to cowardice, especially when you're claim to fame is "I XSSed ericis.com for like 2 hours while he was at a movie man! How sweet is that?!" To which you would get the reply... "ericis.com? What's that?" "It's this guy that mentions security a couple of times and is totally anti-SPAM." "oh. Is he big-time?" "um... no, not really." "Weak... totally weak. Step up your game dude and make your skills worth something. You could really change the world with what you're learning, but that's just lame."
-
Securing Your .NET and Other Applications
- Posted On: 8/16/2006
I recently discussed the need to effectively authenticate an application's execution context with several members of the development community, including the Open Web Application Security Project and AZGroups.com. Here are some important points to consider when securing your application's execution context (i.e. verifying that your application is executing from trusted installation sites):
*The following points are made from the perspective of a .NET implementation, so please modify them as necessary for other languages, including any examples or references in your comments.- Secure the code itself
- "Strong name" your assemblies
- Use internal declarations and "InternalsVisibleTo" attributes to expose objects to trusted assemblies (make informed decisions about keywords that expose your code)
- Obfuscate your code
- Authenticate the Execution Environment
- Upon installation (even "copy-paste"), generate a unique, encrypted install key for the assembly in the trusted execution environment
- Could be in the registry (can be found and possibly cracked if a weak encryption algorithm was used)
- Could check IP (can be spoofed)
- Could check domain-name (can be spoofed)
- Could reside in memory (requires constant execution)
- Validate the key on execution
*A simple example for an ASP.NET application would be to have the application log itself on start-up (an application signature like a GUID, IP, domain name, etc.) and monitor the log.
-
Microsoft: The car salesman of software.
- Posted On: 8/14/2006
I think it's funny that Microsoft is preparing to sell Anti-Virus software. The idea of a company protecting their own software with a separate software product? I mean, who better to write such software, right? What a business concept; sell people software that works, but needs a separate product to work securely!
-
I Survived Being Hacked!
- Posted On: 7/13/2006
My website was attacked between the hours of 11 and 12 PM this morning here in Phoenix, AZ by the IP address 85.255.117.222. They quite obviously came across a couple of my pages where I had not properly handled the omission of a query string parameter (the thing in a url that looks like "webpage.aspx?parameter=somevalue"). When you removed the parameter from the query string on the 2 pages ("webpage.aspx"), it puked a nasty .NET error. The "hacker" (not really deserving of the name in this case) attempted to work their way deeper into the error, creating more than 3,500 web page hits on my website in 1 hour. So, I blocked the range of IPs from this host. The website inhoster.com owns these IPs and is directly associated with spyware activity.
In the past 7 days, the attacking IP, in 1 hour, ranks 2nd just below traffic from GoogleBot.
-
Securing Atlas Method Calls
- Posted On: 5/3/2006
After seeing the popularity of the AJAX methodology grow and new support technologies popping up left and right, I wondered what the implications on security were. We have discussed this at length at OWASP.org and everyone agrees... There are no new security threats posed by the implementation of AJAX other than possible bugs in the frameworks and implementing web browsers. However, solutions using AJAX are at great risk of falling prey to well known application vulnerabilities by failing to provide adequate security precautions around their exposed methods.
-
Are you a trained monkey?
- Posted On: 8/26/2005
Personal and Shared Security
My mom sent out an e-mail today about a "new" credit card scam (none of this stuff is new). Someone contacts you with an elaborate story and your personal information to back-up their story and then they strategically ask you for targeted information they don't have yet. Could be your address, credit card number, etc. But, that's all "generally public" information anyways. It's not hard to get. What should raise red flags is questions about personal passwords.
The PIN on the back of your credit card is a password that you are in possession of the card. The ATM PIN you use at the bank is a password. Whether spoken, typed, gestured, or obtained through bioelectronics, a password is a password and you should guard it as such.
There are levels of trust for information; both personal information and shared information. In one example, your name could be a password. In another, when your child is left at home alone. You might agree with your spouse to hide adult headaches from your children. You might have a password with your employer.
Always ask yourself, "What could possibly happen if I share this information?" Then, assess the risks you are willing to take, including any resulting consequences.
So, are you a trained monkey?
Companies will take what they can get, because, by definition, they exist to make a profit (see the laws of publically traded companies on the stock market). If you are a United States citizen, you can rest assured that companies love to use your Social Security Number as a personal identifier and that they limit its use internally to "protect you". Yeah right... What happens when someone calls you up with incredibly personal information and asks you for something on the same "level of trust", or perhaps 1 level deeper? Can you be certain they are who they say they are? What about someone at your house?
Companies train you to be a monkey!
It's routine for a company to ask you questions about personal information over the phone to verify your identity. But, are you holding them accountable to the level of information they have access to? Are you, in turn, qualifying their identity? -
AOL = Spyware
- Posted On: 8/24/2005
After upgrading my AOL Instant Messaging program (AIM), I am fed up! EVERY TIME I install an AOL program (Netscape, AIM, etc.), they SPAM my computer with random shortcuts to their internet services. This is considered activities of Spyware according to the definition. So, I'm going on a rampage this week by submitting AOL to all of the popular Anti-Spyware programs (Spybot, Ad-Aware, Microsoft, etc.). They had better quit putting shortcuts in my internet browser, on my desktop, in my favorites, and in my closet or else! Who's with me?!
-
Stealing Your Personal Information
- Posted On: 8/4/2005
First of all, turn off your automatic form-filler!
Updates:
- Q: I read your post, but what does it all mean?
- Q: Dare wrote that this is a false alarm. Surely he knows best. Is it?
- Q: Is this actually feasible and should we be as concerned as Eric suggets?
- Q: How come I don't see any additional information on the subject?
A: Any information you or your browser provide on a website, including information provided by automatic form-filler programs, could potentially be submitted without your knowledge to the website's servers. So, let's say you fill out your e-mail address to sign-up for a newsletter and before clicking the "Subscribe", you decide not to. Using JavaScript (and "AJAX"), a website can monitor the form field to see when you have entered your e-mail address and then automatically submit it without you! This is not normal behavior, but you should be wary, especially when an automatic form-filler program fills out form fields on your behalf containing personal and often private information.
A: You visit my test page and then tell me if you voluntarily submitted the information in the textbox, or if it was automatically submitted behind-the-scenes without your approval...
A: Absolutely! Once again, check out my test page and see how that translates to your personal and private information. Do you want people to automatically store your information without your knowledge? Sure, you (or your browser) wrote it down, but that doesn't mean you wanted to submit it!
A: You WILL! I am attempting to spread the word. Also, an individual on the Open Web Application Security Project and employee of Foundstone, Inc., a Strategic Security company, is already working on publishing a white paper on the issue soon.
I wouldn't be suprised if you've heard the term AJAX recently. If you haven't, many websites are beginning to employ the family of technologies that collectively are called "AJAX" and you should be concerned.
Have you ever visited a website, completed a form, and submitted it only to have that information be redirected to another website? Browsers have warnings for this kind of activity. The newest browsers also have warnings for privacy-related concerns, alerting people to the fact that the website may use information inappropriately. Spybot, Ad-Aware, and other programs that seek out and destroy "spyware" often come with warnings of their own integrated within your internet browser, even blocking threatening activities.
But, whIs your computer protected?
- Posted On: 12/17/2004
I went a few years without virus prevention software on my home computer and everything was just fine. But, I sincerely believe that was due to my sufficient experience in web technologies and knowledge of hacking. (someone will probably hack me just for saying that) However, I simply can't keep up with the overwhelming swarms of attacks that come in so many different varieties now. Virus prevention software is a MUST on your computer and so is "malware" prevention software.
I highly recommend Norton anti-virus. Work pays for my coporate edition license, so I rest assurred that Norton is doing all they can to protect my computer. For home, I use a month-to-month subscription service to McAffee anti-virus via my internet hosting provider, Cox.
That will ONLY cover "viruses". It does not cover securing your computer against vulnerable hack attempts (via a "FireWall"), it does not cover e-mail SPAM, and it doesn't cover "malware".
If you have Windows XP, use the Personal Firewall that comes with their new "Security Center" in service pack 2. The service pack is a way of updating your operating system to with the latest fixes and offers additional features. If you know anything about routers, then you probably know that you can setup a firewall there as well. If you have a router, read the instructions and set it up properly. There are also many software packages out there for Firewall protection. McAfee offers a good solution. If you find you don't have many of the items listed in this article, then you may consider McAfee's internet package solution. I am certain there are many others, but I use some of their products and am satisfied.
SPAM is always difficult to get rid of. Microsoft Outlook has many features for getting rid of SPAM ("Junk Mail" and the "Adult Senders List"). Online e-mails, like Hotmail and many others offer SPAM protection as well. Owning your own domain, as I do, will require you to check with your website hosting provider to see what features their e-mail program supports for SPAM protection. As a last resort, it may be possible to "shut-down" your e-mail for a short while (2 to 3 days). Every sender to your e-mail during this inactive time will receive a response that the e-mail d
