After being hacked (I think I was vulnerable because I hadn’t updated WordPress), I was forced to do a little cleanup around ScarTech.net. Part of the cleanup and upgrades include a nice new theme.
I’ll detail the hack in a later post.
In the next installment of my security series, I’ll tackle SQL injection. In the true code reuse fashion, I’ll provide a couple links that do a great job of explaining some misconceptions about SQL injection and how to protect your application.
First here’s a link to a post on Glen Gordon’s blog about injection: http://blogs.msdn.com/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx. Glen includes a nice list of common mistakes when thinking about preventing injection attacks.
Next is a link from the MSDN magazine showing how to stop injection attacks: http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx
I know this was a lazy post, but cut me some slack. I’ve got a 2 month old baby and a new PS3. 
Cross site scripting can be a tough vulnerability to eliminate, but it doesn’t necessarily have to be. If you’re working on an ASP.NET project, the Microsoft Anti-XSS library is easy to use and freely available. Like a lot of developers, I’ve rolled my own anti-XSS by escaping specific characters, but it’s usually clunky and let’s face it. There are still bound to be vulnerabilities. The MS library can be used to encode HTML, HTML attributes, JavaScript, VBScript, as well as encode for XML and XML attributes.
Always encode data from untrusted inputs. Just a few examples include:
Using the library is very simple. Just add a reference to the dll to your project, and you’re ready to go. Here’s a quick and dirty code example encoding a value from the query string:
string Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
A good rule to live by is “When in doubt. Encode it.” Just don’t encode it twice.
You can download the library from Microsoft here.
At work we’ve started a pretty aggressive re-write of our web applications. We’re moving them all to a set of common style-sheets, graphics and master pages as well as putting both our web server and SVN repository into a logical structure. What started as just a few ASP.NET applications, has grown to a jumbled mix of .NET apps, web services and ASP classic applications. Since we’ll be touching a lot of code in this project, we’re going to be taking a long hard look at security. Among other tasks we’re taking steps to prevent SQL injection and we’re making sure we close any cross-site scripting vulnerabilities.
We work on strictly enterprise applications and as a result we’re tucked in behind a nice corporate firewall. This is no comfort though because we have sites all over the world, and there are countless opportunities for attackers to get behind enemy lines. Because I’m beginning to take a more in-depth approach to security and how I write code, I thought I would share some of my lessons here in yet another series of blog posts (like the Second Look at Linux and FLOSS series weren’t enough). My next installment will concentrate on using the Anti-Xss library as well as a few code samples. The library is free to use and provides an easy method for encoding output from untrusted sources (i.e. the user).
If you consider yourself even a little bit of a geek, you would never trust your home wireless network to WEP encryption simply because it can be cracked in a matter of minutes. I insist on better protection for my iTunes share on my local network. Would you trust it to protect your customers’ personal and credit card information? I don’t think so, but the TJX Companies thought it was OK. As a result they got burned.
It’s not a secret that WEP is not secure, and the IT management for TJX must have known it. Now I’m sure it’s expensive to upgrade the wireless systems in however many stores they operate, but security isn’t a “don’t fix it if it ain’t broken” type of thing. Keeping your security current has to be a priority, because you can guarantee that attackers are looking for any vulnerability they can find. They’re looking for the path of least resistance, and WEP ain’t very resistant.
The hackers who ransacked TJX Companies Inc.’s computer network and exposed at least 45.7 million credit and debit card holders to identity fraud reportedly began their assault by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn.
I don’t believe the use of WEP is the only lax security issue TJX was guilty of either. Why keep so much customer personal data for so long? I believe that’s part of the issue. The fact that the major credit card companies require merchants to keep the card number for transactions simply adds to the problem. I realize it’s saved in the case of a disputed charge, but that doesn’t change the fact that it’s a honey pot to attackers. If the credit card number doesn’t have to be stored, then there’s no threat of customers being affected by a security breach.
So here’s my proposal. Associate a second number with a credit card, and store that number in the merchants’ systems. This number isn’t useful by itself, but it can be used by VISA or MasterCard to determine the card holder. If the merchant’s system is compromised, the secondary number can’t be used to make purchases or just about anything else for that matter. It’s only useful to the credit card company when a charge is disputed. Does this sound plausible to you?
There’s always cash though.
I’m not a Facebook user. To be honest, I’ve got better things to do with my time. If I was a member though, I would expect my private profile to be just that: private. Well think again. According to the Valley Wag, a member’s private profile was made available to his employer.
The poster had pictures of himself with his firearms — which, though legal and taken on the employee’s own time, the company was concerned about.
Now I don’t have any problem with law enforcement requests to see this type of information, but your boss? Come on. That’s ridiculous.
Tags: Security
Picture the following scene. It’s a dark, smokey room. Gathered around a table are the godfathers of several powerful crime families. They’ve huddled together to discuss their next big move. It sounds like yet another gangster movie, but it looks like something similar has happened in the world of online criminals. According to this news story, it looks like the Russian Business Network may have relocated to China. Never heard of the RBN? Well they’re not exactly your friendly neighborhood hosting provider.
According to Spamhaus RBN is “Among the world’s worst spammer, child-pornography, malware, phishing and cybercrime hosting networks. Provides “bulletproof hosting”, but is probably involved in the crime too”. RBN was the subject of an article in the Washington Post on October 13, 2007, where Symantec and other security firms claim RBN provides hosting for many illegal activities, including identity theft and phishing. The article quotes a spokesman for Kaspersky Labs that the owners of RBN might not have directly violated the law as they primarily provide hosting services; their customers are apparently the ones violating laws.
The Internet is the most significant technological advancement in my lifetime, but with the benefits its offered there are also those who use it as a tool for mischief. To be a successful spammer or to have a successful phishing site requires a hosting provider that at best looks the other way or at worst supports your activities.
One alleged “phishing” gang, known as the Rock Group, which used the company’s hosting service, is estimated to have made $150 million last year by tricking people into providing bank account details.
The RBN is also said to have developed dozens of fake anti-spyware and anti-virus programs to dupe people into giving it access to their computers in the mistaken belief that they were protecting themselves from online threats.
The RBN’s activities are so notorious that VeriSign, one of the world’s biggest Internet security companies, has dubbed it “the baddest of the bad.”
What really irritates me is that these losers don’t even have the courage to commit their crimes face-to-face. I can just imagine some greasy, smelly neck-bearded geek trying to hold up a little old lady and getting a beat down by granny. Hell, these guys may even have political connections.
It has recently been alleged that the founder and leader of the organisation, known as ‘Flyman’, is related to a “powerful and well-connected” Russian politician. In light of this, it is entirely possible that recent cyber-terrorism activities, such as the May 2007 denial of service attacks in Estonia, may have been co-ordinated by or out-sourced to such an organisation. Although this is currently unproven, intelligent estimates suggest this may be the case.
Like any other criminal organization, they’re highly organized.
Now considering the fact that the RBN and their accomplices are practically big business it may seem like there’s nothing we as developers can do. That’s not the case. We’ve all got family or friends who aren’t exactly tech-savy.
Warn them about phishing scams. Make sure they know their bank or credit card company isn’t going to contact them via email requesting information.
Help them install a virus scanner and anti-spyware software from reputable companies (AVG, AdAware, etc).
Warn them about not downloading and running sofware they find online.
Install Firefox for them and get them off of IE if they’re on Windows.
It only takes a little prudence and knowledge to avoid becoming yet another cyber-victim. As a the resident geek in your family (don’t deny it - you know you are), help make it just a little more difficult for these losers to find more victims.
Tags: Security
Like most good developers, I always take precautions to prevent SQL injection. We’ve also got to worry about cross-site scripting, but now cross-build injection is becoming a concern. Apparently an attacker compromises a server that houses a build component or the DNS server used to find that server. The attacker can then take control of the build machine and inject code into an application while its being built. Am I the only one this frightens? I don’t work on any projects where I’m using a remote server for builds or dependency tracking, but I do use quite a bit of software that’s built on them.
Let’s think of a scenario such as this: I’m using an open source library to handle zipping and unzipping of files in an application I’m deploying to multiple servers in my corporate network. Now let’s say the build or dependency server of the open source library I’m using has been compromised and a trojan has been inserted into the library. Now I’ve unknowingly introduced that trojan to several production servers on my corporate network. Developers and IT departments are obsessed with securing their networks and operating systems, the development stack must secured as well.
It seems the main culprit is automated dependency management system. According to Brian Chess of Fortify Software:
The first and simplest is to refrain from adopting automated dependency management systems altogether. Managing dependencies manually eliminates the potential for unexpected behavior caused by the build system.
While I haven’t heard of an open source project being compromised yet, I don’t think it’s unreasonable to say that the possibility is there. Here’s a link (pdf) to the Fortify Software report detailing the topic.
Tags: Security
Copyright © 2008 ScarTech
Powered by WordPress