A coworker (thanks James) found this article about how to fake a digital cert on a web site.  The quote below is from a related article: Researchers Use PlayStation Cluster to Forge a Web Skeleton Key 

A powerful digital certificate that can be used to forge the identity of any website on the internet is in the hands of in international band of security researchers, thanks to a sophisticated attack on the ailing MD5 hash algorithm, a slip-up by Verisign, and about 200 PlayStation 3s.

"We can impersonate Amazon.com and you won't notice," says David Molnar, a computer science PhD candidate at UC Berkeley. "The padlock will be there and everything will look like it's a perfectly ordinary certificate."

stay safe out there :)

jk

Yet another example of people being the weakest link in the security chain...courtesy of http://mashable.com/2008/11/12/twitterrank/

Something called “Twitterank” has been #1 on Twitter’s trending topics for much of the afternoon, and a flurry of tweets have been coming across along the lines of “my twitterank is 30.35!” with a link to an individual page for each user on a crudely designed website. While the site doesn’t give any real details as to what the number means, users have been handing over their credentials in mass to get the latest peek at what their Twitter popularity might be. Bad idea.

Think about how many places people use login + password as authentication credentials - people use different credentials for each site, right?  lol, no way.  people stick with what works, so if i can get your Twitter creds, how many other sites can i access?

Guess I won't get a twitterrank...rats :)

jk

I ran across this story on the ComputerWorld security site.  One of the amazing things I find about security stuff is the amount of thinking (lots all the way to none) that the bad guys do :)

http://blogs.computerworld.com/another_stupid_credit_card_thief?source=NLT_SEC&nlid=38

The owner of a car in New Orleans reported that her purse had been taken from her unlocked car. She also reported that her credit card company said the card had been used to buy a ticket to the Saints / Vikings football game. So the cops showed up at the game right before halftime, and the 15-year old perp's guilty butt was planted right in the assigned seat on his ticket. Brilliant.

So a few points of observation / free advice:

1.  If you steal a credit card and use it to buy a ticket to a football game, DON'T sit in the seat on the ticket. I am pretty sure the cops came there expecting not to find the guy sitting there, but they had to follow the lead and got lucky.

(others removed for brevitiy)...

I have an additional bit of wisdom here:
5.  DON'T LEAVE YOUR PURSE IN AN UNLOCKED CAR!!!!!

Too bad for the 15 year old perp that most of the excement in that game for the Saints happened in the 2nd half (Reggie Bush's 2.5 punt returns for touch downs, i give him .5 for nearly returning one, but instead tripped over a hashmark) :)

jk

I got the pleasure of attending this conference yesterday (it was only $25)!  I took good handwritten notes, and will transcribe them into blog form in the next couple days.  The content could be a bit rough (hey, i have to try and read my own writing...) but some content is better then none!

cheers

jk

Joe Stagner is back!  http://www.misfitgeek.com/The+Digital+Blackbelt+Webcast+Series+Is+BACK.aspx.  He has 3 upcoming webcasts on the following (security related) topics:

11/3/2008; 11:00 AM (PST)
Convincing Management: The Business Case for Adding Security to the Development Life Cycle
[ Click HERE to Register ]

11/10/2008; 11:00 AM (PST)
Security Development Lifecycle: Building an Intentionally Secure Development Process
[ Click HERE to Register ]

11/24/2008; 11:00 AM (PST)
Threat Modeling for Software Developers
[ Click HERE to Register ]

'See' you there!

stay safe

jk 

My friend Ryan^* sent me this comic about SQL Injection today. Here is a link to Wikipedia in case you are not familiar with SQL Injection. Your favorite search engine will also yield many results.

While it makes for a funny comic, SQL Injection is no laughing matter. As Michael Howard stated in Secure Code (2^nd ed.) p.341, "all input is evil until proven otherwise". I hope every developer who reads this will post a copy of this comic in their as a reminder to validate input and that even a serious topic like security can be made fun!

Cheers to a more secure 2008! J

jk

PNRG is a Pseudo Number Random Generator.

Here are two definitions of PNRG:
Wikipedia
NIST

In case you don't subscribe to the ComputerWorld Security news email, I wanted to put up this post to spread the good word.

Reverse engineering cracks Windows encryption and Microsoft confirms that XP contains random number generator bug.

"Windows only refreshes its "randomness" after the PRNG has produced 128K of output. And since a typical SSL connection between, say, Internet Explorer and a bank consumes just 100-200 bytes of output, it's possible to predict 600-1,200 different SSL connections."

Granted, you need control of the computer to gain access, but nevertheless, this is something to be aware of.

Or, if your glass if half full, this is a good reason to switch to Vista J!

Simulating PRNG is not an easy task. As a security enthusiast, I sincerely hope Microsoft chooses to fix this before SP3!

Cheers

jk

I've been catching up on some of the old DotNetRocks shows that I missed.  Yesterday I was listening to show #167 - Security Update with Patrick Hynds and heard Mr. Hynds explain a security policy they have in place regarding usernames/passwords.

"But we’ve added to that policy that any password user name combination that they use in the office belongs to the company and they can't use it anywhere else under penalty of being terminated." and "...I don’t want my corner hardware store for you to login and win a new hammer by giving them your user name your password from the network and then your company email address because now they have a recipe for logging in."

It got me to thinking about how many logins we all have and if you can hack one site and get a username/password combination for one user, how many other sites will it work on?  MSN, Amazon, Ebay, banks, corporate network....the list goes on.  One additional quote from Mr. Hynds is "the enemy of security is convenience".  Sure, it is very convenient to have only set of credentials to remember, but that is not a secure solution.

A couple of risk-mitigation strategies for this are:
1.  Come up with some kind of heuristic to append, prepend or insert into the middle of your password on a per site basis.  e.g. maybe for amazon use a password that takes the 1st and 4th letters and puts them in your password someplace.

2.  Use a password manager program and have a cryptographically significant (strong) password per site.  I personally use PasswordSafe (Bruce Schneier) and have friends who use PasswordMinder (Keith Brown).  The downside of this is that I don't know any of my passwords, so if i don't have my password manager program with me (thumbdrives work well for this), I'm out of luck, but at least it is secure!

3.  Wait for the internet to embrace CardSpace :)

I would personally like to see the concept that companies own the credentials to their systems make its way into every corporate employee handbook.  It is a sound security principle IMHO.  It will change the way I use passwords!

be safe!

jk

The other day I was helping one of the new developers on our project get the code up and running (ASP.NET 2.0 project). When she brought up the web site in the browser, IIS kept returning the terse error message:

"The system cannot find the file specified"

I checked the IIS log and saw it was returning HTTP 404 (File not found), tried all the common tricks of clearning the download cache, deleting the temporary ASP.NET files, run aspnet_regiis.exe, checked folder ACLs…you get the idea! While poking around the %windir%\system32\inetsrv folder structure, I noticed that URLScan had been installed. This is of course a good security practice, but it gave the hint necessary to fix the problem. If you go to http://www.microsoft.com/technet/security/tools/urlscan.mspx and look at the urlscan.ini settings, the AllowDotInPath option was set to 0 (false). Per the documentation:

AllowDotInPath to 0 will cause UrlScan to reject any request where the file extension is ambiguous due to a dot-in-path condition.

Of course, our virtual directory had dots in it! Changing this setting to 1, and running IISRESET made everything right again.

Thankfully URLScan has a log file as well which I was able to see this request getting rejected on. I was surprised that there were few posts on this, so hopefully someone else finds this post useful and it saves another developer some valuable time!

jk

OK, nice title, four acronyms and one word :)

This post is about security, but even if you *hate* security, please keep reading.  I'll try to keep this post short and to the point!

I was reading through the latest SC Magazine, I ran across this article talking about the aforementioned acronyms DROP and DRIP:

Definitions
DROP == Distributed Responsiblity Of Protection
DRIP == Designing Responsibility In Protection
SDL == Security Development Lifecycle
OBTK == One Butt To Kick (OK that is not a real acronym, but it really means being accountable)

DROP's main premise is to have lots of people with their eyes on security (Mr. Lawhorn likens it to a neighborhood watch program).
DRIP's main premise is to build security in from the ground up, starting with the design
SDL == DRIP
OBTK != DROP -- Through experience (gosh do I sound old now) not having one person or group accountable for anything is a slippery path to trouble.  If more than one person is 'responsible' (using that term loosely) human nature tends to assume/trust that other people have done their job and that you can give something a cursory glance over and approve it.

I find myself in the DRIP camp.  (yes, i'm a drip, all jokes aside :) )

jk