Archive for the ‘ Security’ Category

Is Intellectual Property Security a Myth ?

Is intellectual property protection a myth?

In a word, yes, sort of, at least in a technically acruate sense.

Last week I had a conversation with a developer who told be that his company would never develop an HTML5 app because his intellectual property was far too valuable to share with anyone who wanted it.

Of course, upon further discussion, like most of the developers that have said this to me over the years, what he was really concerned with is software piracy, but lets talk about the former first.

Developers, like the one I was talking to above, insist that their distributed applications be compiled so that their source code is “secured”.

Ok, 1999 called to say it misses you ! :)

I was working at Microsoft when we released the beta versions of .NET. Included in the SDK was a decompiler. Developers around the world went nuts because all their source code would be stolen !

The truth of the matter is that source code is retrievable from compiled applications on all popular computing platforms. Just a bit of crafty googling will find you de-compilers for C#, Java, Visual Basic, C/C++ and a plethora of other languages.

These will turn your executable binaries into source code. Which tool you use would depend on the type of file you are decompiling which can be determined by headers in the files themselves.

The common response is that the code is not the same as the original source code, and that is true, it may be harder to read (or it may be easier) but either way the “intellectual property” would be exposed.

And there are other ways to get source code for an app too.

You will also find disassemblers that turn an executable binary file into assembly code. They basically convert the executable machine instructions into platform specific Assembly code instructions. If assembly code is not your thing you could them run a source translator to convert the Assembly into another language like “C”.

Of course this still doesn’t deliver the exact source code written by the developer. The resulting source code may not even be recompilable without modification, but again, the “Intellectual Property” has been retrieved.

There are very clever tools like the Holodeck Debugger that allow a skilled hacker type to view in real time what instructions are being executed by the operating system. (Holodeck is an AMAZING tool for good guy developers too !)

It’s possible to implement an encrypted operating system (file system, memory, runtime, ect.) that could decrypt programs in isolation for execution, but characteristics of such an operating system would make it unsuitable for general consumer use.

So, when we talk about intellectual property protection in our applications it’s important to understand that what we are really talking about is just increasing the difficulty level involved in stealing our code or using it in meaningful ways that oppose our desires.

.NET and Java developers who felt the need solved this problem by using pre-compilation obfuscators. The obfuscation process converted the source code to a product that, while syntactically valid, made no sense to the human viewer.

When decompiled the hacker has access to only the OBFUSCATED source code. The intellectual property was still in there, but for all intents and purposes, still secret. The process of reverse engineering code delivered after this obfuscation / compilation was too time consuming to be of interest. This makes the intellectual property secret in a practical sense, it not a purely technical one. Some obfuscators even produces source code that would feail recompilation attempts.

Likewise, people have been securing the logic and the content of the web for a long time. Obfuscators exist for HTML, CSS, and JavaScript. If you’re a web developer you have certainly cracked open a page or a downloaded a JavaScript file and seen huge strings of hex digits. Those were probably a method of obfuscation.

For example, the following simple JavaScript program:


var a="Hello World!";
function MsgBox(msg)
{
    alert(msg+"\n"+a);
}
MsgBox("OK");

When obfuscated becomes this.


var _0xf979=["\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64\x21","\x0A",
"\x4F\x4B"];var a=_0xf979[0];function MsgBox(_0xa221x3)
{alert(_0xa221x3+_0xf979[1]+a);} ;
MsgBox(_0xf979[2]);

Using the application will expose what it does but viewing the source code does dot expose HOW it does it.

There are really two things that people are interested in defending against. One is people using their software for free, the other is people stealing their source code which is to say the algorithms that are specific to their applications.

If you’re build an app using web standards (HTML5/JavaScript/CSS) you need to decide how much “protection” is enough to satisfy your concerns.

Of course the most secure method is to keep the parts of your logic that need to be secret on the server. You can modify your application’s architecture so that some functionality is only available when an internet connection is present.

You can use obfuscated client side assets to confuse prying eyes from easily hacking the APIs. Of course, if an even higher level of security is necessary, you can further restrict access to the APIs by using SSL and a per request token based authentication mechanism.

Similarly, once you have done the above you can use similar methods to assure that the user of your app is authorized to use it by periodically requiring an authentication handshake. (Mozilla apps will provide an API to help the developer do exactly this using Persona and the MozApps receipt system.

Many organizations have discovered that these concerns are never realized when their apps become public but above are a few ideas that you can use to make stealing your code more difficult. Remember, there is no such thing an an app that can’t be reverse engineered. But you can make them work for it !


A few reading resources for securing your IIS server.

Resources for securing Internet Information Services

http://support.microsoft.com/kb/282060

Security Guidance for IIS

http://technet.microsoft.com/en-us/library/dd450371(WS.10).aspx

Chapter 16 – Securing Your Web Server

http://msdn.microsoft.com/en-us/library/aa302432.aspx

Securing Your IIS Log File Folder

http://msdn.microsoft.com/en-us/library/ee810489(v=CS.20).aspx

Chapter 6: Hardening Web Services

http://technet.microsoft.com/en-us/library/cc264459.aspx

IIS 6.0 Technical Reference

http://technet.microsoft.com/en-us/library/cc775635(WS.10).aspx

AntiXSS V4.0 Released

AntiXSS is a .NET library which provides a myriad of encoding functions for user input, including HTML, HTML attributes, XML, CSS and JavaScript. AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type. Whilst this comes at a performance cost AntiXSS has been written with performance in mind.


What’s new in 4.0


Return values

If you pass a null as the value to be encoding to an encoding function the function will now return null. Previous behaviour was to return String.Empty.

Medium Trust Support

The HTML Sanitization methods have been moved to a separate assembly. This enables the AntiXssLibrary assembly to run in medium trust environments, a common user request. If you wish to use the Html Sanitization library you must now include the HtmlSanitizationLibrary assembly. This assembly requires full trust and the ability to run unsafe code.

Adjustable safe-listing for HTML/XML Encoding

The safe list for HTML and XML encoding is now adjustable. You can now choose from the Unicode Code Charts which languages your web application normally accepts. Safe-listing a language code chart leaves the defined characters in their native form during encoding, which increases readability in the HTML/XML document and speeds up encoding. Certain dangerous characters will always be encoded

Invalid Unicode character detection

If any of the HTML, XML or CSS encoding methods encounters a character with a character code of 0xFFFE or 0xFFFF, the characters used to detect byte order at the beginning of files an InvalidUnicodeValueException will be thrown.

HTML 4.01 Named Entity Support

A new overload of the HtmlEncode method, allows you to specify if the named entities from the HTML 4.01 specification should be used in preference to &#xxxx; encoding when a named entity exists. For example if useNamedEntities is set to true © would be encoded as ©.

Surrogate Character Support in HTML and XML encoding

Support for surrogate character pairs for Unicode characters outside the basic multilingual plane has been improved. Such character pairs are now combined and encoded as their &xxxxx; value.

If a high surrogate pair character is encountered which is not followed by a low surrogate pair character, or a low surrogate pair character is encountered which is not preceded by a high surrogate pair character an InvalidSurrogatePairException is thrown.

HtmlFormUrlEncode

A new encoding type suitable for using in encoding Html POST form submissions is now available via HtmlFormUrlEncode(string input). This encodes according to the W3C specifications for application/x-www-form-urlencoded MIME type.

LDAP Encoding changes

The LdapEncode function has been deprecated in favor of two new functions, LdapFilterEncode and LdapDistinguishedNameEncode.

LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character.

LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string. An override is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

In addition to the RFC mandated escaping the safe list excludes the characters listed at http://projects.webappsec.org/LDAP-Injection.

MarkOutput

The ability to mark output using an HtmlEncode overload and query string parameter has been removed.


Minimum Requirements


AntiXSS 4.0 requires .NET Framework v3.5.

In addition if you wish to compile from source you will need Visual Studio 2010.


Installer


You can access the installer via the AntiXSS toolbox entry at

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651


Source and license


The source for AntiXSS 4.0 will be available on CodePlex at http://wpl.codeplex.com/

The software is licensed under the MS-Pl and no contributions have been taken from the community.

Software Security Books

   

Is Adobe the new Favorite Hacker Victim ??

I open several PDF files every day !

Check out these latest attack statistics from CNet

TargetedAttacks2009

Microsoft has always been the Hack Attacker’s favorite victim, but in recent years we’ve made it harder and harder to successfully attack Microsoft products.

And so, the bad guys are diversifying their efforts – and Adobe seems to now be in their cross hairs.

[ Click HERE to tread the article on CNet News ]

Whitepaper – Social Networking and Security

Brad Dinerman (who worked for me for a while in the 1990s) recently published an interesting paper on security issues with regards to Social Networking.

I’d like to share it.

http://www.fieldbrook.net/TechTips/Security/SocialNetworking.asp

New Templates added to Microsoft’s SDL (Secure Development) resources.

clip_image002_thumb

Security in applications becomes more and more important.

To date Microsoft has provided some great SDL resources.

But one consistent request has been for some Visual Studio Integration for SDL.

So….

Introducing the Microsoft SDL Process Template.

clip_image006_thumb

The SDL Process Template is a free downloadable template for Visual Studio Team System that integrates the SDL directly into your software development environment. Since it’s a TEAM tool and it integrates with the team and process features of Team System, you do need a Team Foundation Server to manage your work.

The SDL Template provides the foundational components of the SDL for every phase of development.

If you do not currently use Visual Studio Team System, and want to try the SDL Process Template, evaluation versions in both VPC and Hyper-V dev environments are available for download.

You can upload the SDL Process Template into that virtual environment and check it out for yourself.

Be safe out there !!!

Technorati Tags: ,,,,Secure Development

The IDA Pro Book by Chris Eagle

This book is OFF THE HOOK !

Wanna REALLY dissect a running application ?

IDA Pro is THE tool of choice for disassembly and the crackers choice because of it’s raw power.

Whether you need to solve a tough runtime defect or examine your application security from teh inside out IDA Pro is a great tool and this book is THE guide for coming up to speed.

From the book description ….

  • Identify known library routines, so you can focus your analysis on other areas of the code
  • Extend IDA to support new processors and filetypes, making disassembly possible for new or obscure architectures
  • Explore popular plug-ins that make writing IDA scripts easier, allow collaborative reverse engineering, and much more
  • Utilize IDA’s built-in debugger to tackle obfuscated code that would defeat a stand-alone disassembler 

    Download Chapter 12: “Library Recognition Using FLIRT Signatures”

    http://www.nostarch.com/idapro.htm

  • 3 New Security Videos Published !

    #8 | Changing Membership Settings in the Default Membership Schema

    #9 | Configuring SQL To Work with Membership Schemas

    #10 | Understanding ASP.NET Memberships

    [ Get them here ]

    New Security Video Series Launched

    Please checkout the first videos in my new Web Developer’s Security Video Series.

    http://www.asp.net/learn/security-videos/

    I’m hoping to do 100 Videos this year !

    PLEASE SEND YOUR REQUESTS !!!

    Announcing SecureDeveloper.com

    For many years I’ve had an interest in and a focus on Application Security.

    Now, I’ll be ramping up and doing a bunch of security related work in my role here at Microsoft.

    I hope you will add www.SecureDeveloper.com to your blog reader.

    I expect to include coverage of topics of interest to Web Developers, Server Admins, Rich Client Developers and RIA Devs.

    As always, please feel free to send your requests and suggestions !!

    LifeCycleSecurity conference – Aug 8 & 9 – Las Vegas, Nevada

    Check out this 2 day security brain fest. It happens to be right after Black Hat in Vegas. See you there ?

    The LifeCycleSecurity conference was started to provide a venue where professionals in the Application Security industry can learn from each other’s experiences.  We will be addressing security from the server to the browser. 

    Application Security : We will have topics that address how professionals are creating systems that are resistant to attacks against the web application layer and the systems that support these web applications.

    Browser security: With the increase in attacks against browsers such as malware and other attack vectors, protecting your users is more important than ever.  This is increasingly being done with content filtering devices.  The Lifecyclesecurity conference will include several tracks that address techniques that are being used to protect against these browser / content based attacks.

    http://www.lifecyclesecurity.com/

    Who’s Watching What You’re Watching?

    From – http://www.vistanews.com/

    According to the Broadband Report, as of last March 57% of U.S. households had broadband Internet. These high speed connections make it possible to enjoy multi-media applications, something that doesn’t work well – if at all – over slow dialup connections. And Internet users are taking advantage of that capability. By March 2008, more than 78 million videos had been uploaded to YouTube, the popular video sharing web site that was created in 2005 by three former employees of PayPal and was acquired by Google a year later. This means more than 150,000 videos are uploaded every day. http://www.vistanews.com/IB5SB2/080710-YouTube-Statistics

    Many of these are relatively short, homemade video clips that people take of themselves, their kids, their pets or whatever else they find interesting. The proliferation of cell phone cameras that can record short videos has made it very easy for just about anyone to become a “roving reporter.” Your YouTube account includes a feature that lets you create a mobile profile on the site and then get a special email address to which you can send your videos as MMS messages from your cell phone. You just enter your mobile phone number and provider name. You can also watch videos on your browser-equipped cell phone. Just go to http://m.youtube.com.

    In a society where everyone longs for his or her fifteen minutes of fame, YouTube gives us what we want. Aspiring stand-up comedians can get an instant audience, or you can share the video of your wedding with thousands of strangers around the world. Your creative efforts don’t exist in a vacuum, either. Those who view the videos can assign ratings to them so you know exactly where you stand (or don’t).

    Not all the videos that are uploaded to YouTube are originals, though. Looking for that Macbook Air commercial with the “New Soul” song? A quick search on YouTube will bring it up for you in all its glory. Or you might prefer this parody: http://www.vistanews.com/IB5SB2/080710-Parody

    Or you can click on the News and Politics category for news clips of everything from President Bush’s last State of the Union address to Associated Press footage of the recent Colombia hostage rescue.

    You might be wondering whether some of these videos might be copyrighted, and in fact many of them are, and are posted on YouTube without the permission of the copyright owner. And that brings us to our latest controversy. Although some companies don’t seem to mind having their material reposted to YouTube – and may even encourage it, for the publicity – others aren’t so happy.
    In 2007, Viacom (the media conglomerate that owns MTV, Paramount Pictures and DreamWorks movie studio, among others) invoked the Digital Millennium Copyright Act (DMCA) against YouTube, demanding that they take down more than 100,000 videos that Viacom claimed had been posted in violation of copyright laws. Viacom also filed a $1 billion lawsuit against Google/YouTube.
    As part of that lawsuit, Viacom asked for the log-in names and IP addresses of YouTube users and records of who watched what videos. And last week, U.S. District Court judge Louis Stanton granted that request, ordering YouTube to turn over their database logs to Viacom. Despite many protests from organizations such as the Electronic Frontier Foundation, the judge dismissed concerns about user privacy. http://www.vistanews.com/IB5SB2/080710-YouTube-User-History

    Viacom’s allegations of copyright infringement seem particularly egregious in light of the accusation from one film maker that Viacom tried to sue him for posting his own video on YouTube, which Viacom had used on their TV commercial without his permission. You can read his blog post about that here: http://www.vistanews.com/IB5SB2/080710-Viacom-Copyright

    The lawsuit against YouTube is important because it could set a precedent regarding the responsibility of a web site for content that’s posted by others, as well as defining what is and isn’t “fair use” when it comes to capturing snippets of a TV program or other copyrighted video. The DMCA includes a “safe harbor” provision that exempts hosting companies from liability for copyright infringement – if the hosting company removes the material when notified that it’s in violation of the copyright laws. YouTube contends that they comply with this requirement and also have other measures, such as the 10 minute limit on videos, that discourage copyright infringement.

    If Viacom wins this one, it could open up a much bigger can of worms. A new interpretation of the DMCA safe harbor provision could affect more than just video hosting sites. Web sites that host discussion forums might be held liable for what users post there; this would probably cause many of the online forums to simply disappear.

    But regardless of the outcome of the suit, YouTube’s users have already lost. The twelve terabytes of log data that Google must now turn over to Viacom contains viewers’ log-in IDs and IP addresses, the time each viewer began watching and the video that he watched. The judge seems to think this information can’t be used to identify individual users, but how many people do you know who use their names or some variation thereof as their log-in names on web sites like YouTube? And even if you don’t, an IP address can be tracked back through the ISP to the user account to which it was assigned at a particular time unless that user goes to the effort of using anonymizer services, something that the vast majority of casual users don’t do.

    There has been no indication at this time that Viacom or anyone else intends to go after the users who watched copyrighted video clips, but who knows? Who would have thought the RIAA would sue grandmothers and 9 year old kids for illegal sharing of music? And even if that doesn’t happen, does it make you a little nervous that someone is going over the records of what you watched and when?

    Tell us what you think. Does Viacom, as a copyright owner, have the right to demand not only that YouTube take down the videos that belong to them (a reasonable request) but also that YouTube provide them with information about the viewers who watched those videos? Should YouTube or any other web site hosting content that’s uploaded by its visitors bear the responsibility for that content if it violates laws? Would it bother you to have the records of your viewing habits made part of a court proceeding, or do you subscribe to the “if you aren’t doing anything wrong, you don’t have anything to worry about” philosophy? Should video sharing sites such as YouTube be restricted to homemade videos only? Or should the “fair use” provisions of the copyright law allow you to post small portions of a TV show, news program, etc.?

    My Secure Development Interview from TechEd 2008

    While at TechEd 2008 I got to spend some time in the “Fish Bowl” with Georgeo Pulikkathara.

    Georgeo interviewed me on Microsoft’s Secure Development Lifecycle (SDL) and my upcoming Developer Security Activities.

    Please [ click HERE ] to check out Georgeo’s blog post and [ Click HERE ] to have a listen to the show.

    Tools to block & eradicate SQL injection

    Microsoft has released an advisory for the recent SQL Injection attacks which points to several tools that will help identify and block these type of attacks. The goal of this blog post is to help our audience identify the best tool depending on their role (i.e. Web Developers vs IT administrators). Currently, there are three tools available which serve different purposes and they complement each other.

    Web developers Recommendations

    The Microsoft ® Source Code Analyzer for SQL Injection is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attacked). In order to run this tool you will need source code access and the tool will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view fixing the root cause of the bug is the best way to eradicate vulnerabilities. The tool scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities.

    IT/Database administrators Recommendations (Web developers can benefit from this as well)

    We are recommending two tools, one can help identify SQL injection vulnerabilities by crawling the website (for example, when access to the source code is not possible) and the other one aims to block potential SQL injection attacks.

    HP Scrawlr, developed by the HP Web Security Research Group, will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities (Microsoft has worked with HP in this effort). Scrawlr uses some of the same technology found in WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in the recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out https://download.spidynamics.com/products/scrawlr/ 

     Second, in order to block and mitigate SQL injection attacks (while the root cause is being fixed), one can deploy filters using URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. Basically, it uses a set of keywords to block certain requests (i.e. the request will get drop and never processed by SQL) That said, we highly encourage fixing the root cause of the problem instead of attempting on producing a perfect filter that will block all type of attacks (since in our view this is not possible and error prone). 

    5 Big Security Threats

    Baseline Magazine [ Click HERE ] has outlined the 5 Big Security Threats that Anti-virus software and firewalls MISS.

    1 Trusted Users and Partners

    2 Web Application Vulnerabilities

    Gartner estimates that 75 percent of today’s attacks are carried out through the application layer.

    Many of these application attacks are conducted through quickly coded Web applications, with little or no security baked in.

    Yet these Web apps are often connected to some of the most sensitive databases businesses own.

    3 Missing Devices

    4 Custom Malware

    5 Social Engineering

    [ CLICK HERE to read the whole article. ]

    Microsoft Patterns & Practices – Improving WCF Services Security

     Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide.  The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /”Indigo”.)  It shows you how to build secure services using WCF.  It’s a compendium of proven practices, product team recommendations, and insights from the field.  It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos.  Most importantly it frames out the Web services security space and shows you how to be effective with WCF.

    patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF

    (Forewords by Nicholas Allen and Rockford Lhotka.)

    Download the Guide

    · Guide Download: http://www.codeplex.com/WCFSecurityGuide

    Contents at a Glance

    · Part I – Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)

    · Part II – WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.

    · Part III – Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.

    · Part IV – Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.

    Chapters

    · Ch 01 – Security Fundamentals for Web Services

    · Ch 02 – Threats and Countermeasures for Web Services

    · Ch 03 – Security Design Guidelines for Web Services

    · Ch 04 – WCF Security Fundamentals

    · Ch 05 – Authentication, Authorization and Identities in WCF

    · Ch 06 – Impersonation and Delegation in WCF

    · Ch 07 – Message and Transport Security in WCF

    · Ch 08 – WCF Bindings Fundamentals

    · Ch 09 – Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)

    · Ch 10 – Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)

    · Ch 11 – Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)

    · Ch 12 – Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)

    · Ch 13 – Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)

    · Ch 14 – Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)

    · Ch 15 – Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

    Reference

    · WCF Security Checklist

    · WCF Security Guidelines

    · WCF Security Practices at a Glance

    · WCF Questions and Answers (Q&A)

    · How Tos

    · WCF Security Resources

    External Contributors/Reviewers

    · Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam

    Microsoft Contributors / Reviewers

    · Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

    More Information

    · Guide site: http://www.codeplex.com/WCFSecurityGuide

    · Project Site (Online KB): http://www.codeplex.com/WCFSecurity

    · Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier

    Critical Security Fix for BlogEngine.net

    Today, while sitting in a discussion about the new Microsoft MVC Framework at the Microsoft MVP summit, I got an email (reading on my phone) from Kevin Karasinski, a developer at Sandcastle Interactive.

    The subject line of the email was my blog password !

    Kevin sure knows how to get a guys attention :)

    Kevin, good guy that he is, was taking the time to let me know about a newly discovered (and already fixed) security defect in BlogEngine.net, which is the blogging engine that I use here at JoeOn.net. 

    Thanks Kevin, you gave me a freakin’ heart attack !!!!

    Needless to say, my blog has been patched to remove the defect.

    Kevin pointed me to Danny Douglass’ blog entry HERE.

    And [ HERE ] is the official BlogEngine.net patch announcement.

    Kudos to Danny, and the BlogeEngine.net guys for fixing this so quickly.

    And thanks to Kevin for taking the time to let me know, though maybe next time you can just call my cell phone :)

    JSON Hijacking and the National Enquirer

    A couple of days ago eWeek posted a panic attack here http://www.eweek.com/article2/0,1895,2110554,00.asp?kc=EWEWEMNL040307EP37A that sensationalized a paper that Fortify published here: http://www.fortifysoftware.com/advisory.jsp

    I posted a link to the article yesterday – sort of tung in cheek, but decided to wait until I could refer to more information because folks might not intuit my point.

    So let me offer this subtle hint: THERE IS NOTHING NEW HERE !

    Security companies market themselves by generating press about their research – fair enough.

    Tech Media Companies like eWeek naturally sensationalize to keep their readership flowing (the National Enquirer model of Journalism).

    Now, it’s not like I don’t take developer security seriously. I spent about 4 of the past 6 years focused mostly on developer security.

    But it’s time we fix the perspective a but. Fortify wants to identify the AJAX venders as the source of these security problems. (And not just Microsoft but basically everyone that makes Ajax Software.)

    It’s great that security companies are looking at the rapid adoption of Ajax and calling attention to security issues. But, at the risk of sounding redundant …

    THERE IS NOTHING NEW HERE !

    HTTP & JavaScript have not changed. The possible programming mistakes have not changed. The defensive development practices that mitigate these risks have not changed. Just some of the buzzwords have been added.

    ScottGu has replied here to some of the specific call outs in the above referenced article : http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

    Since it seems like there are still a good number of developers that are not yet up to speed on Web Development security and are particularly interested in how these security challenges relate to doing Ajax style programming…….

    I’ve been talking to my old security buddy Mark Brown about resurrecting the “Digital Black Belt” Secure Development Series to do an extended “Developing Secure Web Applications with ASP.NET and Microsoft Ajax”.

    Please offer your opinions so that I can gage interest.

    Joe

    WEBCAST TODAY- AJAX Security Best Practices

    Today at 9:00 AM PST / 12:00 Noon EST

    Today is the final installment of the AJAX Security Webcasts.

    You can still attend TODAY.

    CLICK HERE TO ATTEND !

    PHP Security Woes

    I do alot of PHP programming and like working with apps like Joomla and XOOPS, etc….

    I have wondered if PHP would suffer the scrutiny that ASP did a while back.

    This dialog on Slash Dot is interesting……

    “PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer “from the inside” is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend’s CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not.”