Mahavir Sancheti

Laser Combat @Ranway9 Hyd

2009-06-28T12:41:00.000-07:00

Winning Laser Combat team@ Runway9. From LtoR - Ravi,Raghu,Mahavir,Anil,Mark,Neha

Securing Microsoft’s Cloud Infrastructure

2009-06-28T12:31:00.000-07:00

Good white paper on Microsoft take of Cloud Security.
The Online Services Security and Compliance (OSSC) team within the Global Foundation Services (GFS) division builds on the same security principles and processes Microsoft has developed through years of experience managing security risks in
traditional development and operating environments. More

I am at Tech Ed 2009@HICC ,Hyderabad India

2009-05-15T23:42:00.000-07:00

I am at Tech Ed 2009@HICC ,Hyderabad India

CSSLP certified Now.

2009-04-20T11:54:00.000-07:00

I am CSSLP certified now. :)

One Place holder for most the security stuff..

2009-03-06T23:53:00.000-08:00

Thanks to J.D for creating this Place folder for most of the security related stuff..
From J.D Meiers. Blog entry.
"This post is a simple way to get to my stuff on MSDN. I always get asked how to find my patterns & practices stuff on MSDN. I always have a hard time finding it. I'm presenting at our Executive Briefing Center (EBC) today, so now I have a simple response for when I get asked, "OK, so where do we find this?"" more

S/MIME Vs RMS -Part II

2009-02-01T07:39:00.001-08:00

Characteristic	S/MIME	RMS
Strong private key protection	Possible	Not possible
Private key storage	Disk (user profile), smart card	RM Account Certificate
usage rights (copy, print, forward)	No	Yes
Data rights can be configured to expire	No	Yes

Ease of use	Medium	Medium
Managerial efforts	High	Medium
Symmetric encryption algorithms	DES, 3DES, RC2 (Outlook)	DES, AES
Asymmetric encryption algorithms	RSA	RSA
PKI	Yes	No
Trust Relationship possible	Yes, through cross certification or sub-ordination	Trust relationships can be configured between RM Servers.
Compatibility	S/MIME, X.509 are cross-platform standards. S/MIME is implemented in most mail clients.	XrML is submitted as standard. IRM is only implemented in Outlook 2003; view-only functionality available in RMA. Additional clients can add IRM functionality through RM Client SDK.
Revocation checking	Done by the client (configurable), encrypted content is still accessible if cert not valid	Done by the server (when issuing EULs), encrypted content is not accessible once old licenses expire.
Expiration behavior	Expiration of the user's certificate does not affect decryption of encrypted files, but does prevent subsequent encryption of emails.	Expiration of user's RM account certificate will immediately prevent decryption of any existing or new RM-protected information.

S/MIME Vs RMS -Part I

2009-01-18T08:24:00.001-08:00

S/MIME	RMS
Provides non-repudiation and identity attestation of the sender	Provides information usage policy enforcement
Provides for integrity protection and proof of tampering (signature validation)	Prevents tampering due to encryption
Security boundary may span outside corporate boundaries and firewalls	Policy persisted with the content
End to end encryption prevents sniffing and message interception	End to end encryption prevents sniffing and message interception
Cross-platform interoperability and wide application support	Windows Platform only (98SE and above), CE and Mac next
Two factor authentication for sending and receiving s/mime enabled mail	Prevents users from using expired content or information
Strong encryption and very large key sizes	Fixed encryption key sizes and algorithms
Limited message compression only in OWA	Provides message compression for all modes

Threat Model of "Star Wars"

2009-01-06T23:15:00.000-08:00

Death Star Threat Modeling –

Part 1- http://www.youtube.com/watch?v=x0HfHmRN9x4
Part 2- http://www.youtube.com/watch?v=OHnXsL4Z3vo
Part -3 http://www.youtube.com/watch?v=ZWT_5TGZ5h4

One of the costly Arthimatic overflow bug resulting in a loss of more than US$370 million

2008-12-21T07:25:00.000-08:00

One of the costly Arithmetic overflow bug resulting in a loss of more than US$370 million.

Ariane 5 Flight spacecraft crash in June 1996.

"Because of the different flight path, a data conversion from a 64-bit floating point to 16-bit signed integer value caused a hardware exception (more specifically, an arithmetic overflow, as the floating point number had a value too large to be represented by a 16-bit signed integer). Efficiency considerations had led to the disabling of the software handler (in Ada code) for this error trap, although other conversions of comparable variables in the code remained protected. This led to a cascade of problems, culminating in destruction of the entire flight. "

Source Wikipedia

Common security issues in XML,XSLT,XSD files

2008-10-31T09:38:00.000-07:00

Here is some of the issues related XML,XLST,XSD. I know It is very rough list.

· Do validate all user inputs for XML/HTML/Script Tags-XML Injection

· Before creating an XML, data should be properly encoded to avoid XML injection. (Hacker can inject malicious script in the CDATA section)

· XML data should be validated using a native .Net class to ensure that it does not contain any malicious data.

· Serving XML/XSLT/XSD files over HTTP

· Clear text secrets in XML files

· XML Output Escaping Turned off

· XML files in the web root

· SQL injection using invalidated user inputs.

Interesting Example!!! Security ROI: Fact or Fiction?

2008-10-31T09:25:00.000-07:00

Interesting Example!!!

Security ROI: Fact or Fiction?

Airport security. Assume that all the new airport security measures increase the waiting time at airports by—and I'm making this up—30 minutes per passenger. There were 760 million passenger boarding in the United States in 2007. This means that the extra waiting time at airports has cost us a collective 43,000 years of extra waiting time. Assume a 70-year life expectancy, and the increased waiting time has "killed" 620 people per year—930 if you calculate the numbers based on 16 hours of awake time per day. So the question is: If we did away with increased airport security, would the result be more people dead from terrorism or fewer?

From CSOnline.

ACE TEAM@ACE CONFERENCE-REDMOND WA

2008-09-28T10:15:00.000-07:00

Here is the Team Snap after ACE Conference@Redmond. Entier 4 days are full of security sessions ,presentations, Hands on different tools.

10-15th August : ACE Conference

2008-08-03T03:56:00.000-07:00

Attending ACE Security Conference in Redmond, WA,USA. 11th- 15th August 2008. attending more than 100+ Security Professionals from all over the world. Once of its kind of footstep of BLACKHAT.

Key Configuration areas to look during Security Reviews.

2008-06-30T08:48:00.000-07:00

I categorize them in 3 buckets
1) Web server Configurations
2) Database Configurations
3) Application Level Configurations

Database Configurations

Installation Considerations for Production Servers
Patches and Updates
Protocols Accounts
Shares
Ports
Auditing and Logging
Files and Directories
Services
Registry
SQL Server Database Objects
SQL Server Security
SQL Server Users
SQL Server Logins
SQL Server Roles

Web Server Configurations

IIS Lockdown
Patches and Updates
Services
Accounts
Protocols
Files and Directories
Ports
Shares
Registry
Sites and Virtual Directories
Auditing and Logging
Script Mappings
IIS Metabase
ISAPI Filters
Server Certificates
Code Access Security
Machine.config
Other Check Points

Application Level Configurations

Web Server
IIS Specific
SQL Server Specific
Source Code
Auditing and Logging
ASP.Net 2.0 Specific Issues

I joined Microsoft India this month

2008-05-21T09:00:00.000-07:00

i happy to share that this month i joined Microsoft india. it is like dream come true.

2008-04-22T12:12:00.000-07:00

PCI Standards and Application Security.

From my experience i am tried to identified the Controls/Requirement which come under Application Security bucket. This are the major controls, apart from that there are other controls which comes under different bucket's like Infrastructure Security, Process , Physical Security etc.

Requirement 6.3.7, 6.5, 6.6 , 11.3.2 talks about Application Security

PCI DSS Requirements - Application security
•6.3.7 Review custom code prior to release to production or customers, to identify potential coding vulnerabilities.
•6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project.
Review custom application code to identify coding vulnerabilities
•6.6 Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:
–Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
–Installing an application layer firewall in front of web-facing applications.
PCI DSS Requirement -Integrating Security in Software Develpoment Life cycle
•6 Develop and maintain secure systems and applications
PCI DSS Requirement -Application Penetration Testing
•11.3 Perform application-layer penetration tests at least yearly
–11.3.2 Application-layer penetration tests.

Common Top 10 web Vulnerabilities – PCI Equivalence

Major Vulnerabilities mention in PCI DSS Requirement 6.5

§6.5.1 Unvalidated input
§6.5.2 Broken access control
§6.5.3 Broken authentication and session management
§6.5.4 Cross-site scripting (XSS) attacks
§6.5.5 Buffer overflows
§6.5.6 Injection flaws (for example, Xpath injection ,SQL injection)
§6.5.7 Improper error handling
§6.5.8 Insecure storage
§6.5.9 Denial of service
§6.5.10 Insecure configuration management

Reference https://www.pcisecuritystandards.org/pdfs/navigating_pci_dss_v1-1.pdf

http://www.owasp.org/index.php/Top_10_2004

History before PCI- DSS- Compliance

2008-04-19T06:23:00.000-07:00

PCI DSS stands for Payment Card Industry Data Security Standards.

The Payment Card Industry Security Standards Council was formed, and on the 15 December 2004 by Following Five major compaines.

Initially this compaines have there own security program.

Visa Card Information Security Program
MasterCard Site Data Protection
American Express Data Security Operating Policy
Discover Information and Compliance
JCB Data Security Program

PCI- Compliance - What it means to Organization

2008-04-19T03:46:00.000-07:00

What is PCI- DSS?

The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide standard mandated by Visa and MasterCard for the protection and Security of cardholder information.

To whom it applies

"Any organization that processes credit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data "

Standards and requirements for data security
Non-legislative, but enforceable through Fines

PCI DSS-“Digital Dozen”
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information security

To Become a PCI Compliance we need Classify them in different buckets

No “single technology” makes company PCI compliant. Above figure shows the broad classification of all 12 Requirement controls.

Continue in part -2

SAP Security

2008-03-03T01:08:00.001-08:00

SAP Security Assessment V3 English

From: fseineldin, 6 months ago

| View | Upload your own

SAP Security Assessment framework

SlideShare Link

COMMONLY FOUND SECURITY ISSUESS IN WEB SERVICES . NET CODE

2008-02-08T09:22:00.000-08:00

COMMONLY FOUND WEB SERVICES ISSUES IN .NET CODE.

Check the following areas in web services form security point of view
· Input validation
· Authentication
· Authorization
· Information Disclosure
· Auditing & Logging
· Unnecessary protocol
· Communication Channels

1. Inadequate Input Validation in IBUYSPY webservices
--------------------------------------------------------
NONE of the inputs accepted by the ANY of the web methods are validated before being sent to the business methods.
Although there is currently no well known vulnerability that can be exploited, input validation is required as per policy.

Example:--
IBUYSPY \App_Code\OrderCancel.cs(58):
[WebMethod]
public IBUYSPY.Utility ProcessCancel(string orderId, string[] itemId, string itemStatusReasonCode)
{
const string LOGSOURCE = " IBUYSPY.Utility.ProcessCancel";
IBUYSPY.Utility omResult = new Utility.Result();
CancelOrder order = new CancelOrder();
try
{
int retVal = order.ProcessCancel(orderId, itemId, itemStatusReasonCode);

IBUYSPY.Utility \App_Code\PaymentWebService.cs(41):
public IBUYSPY.Utility ProcessCharge(string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new Payment.PaymentService();
IBUYSPY.Result Result = PaymentService.ProcessCharge("",serviceRequestNumber);

==================
Recommendations
==================
Perform input validations for all user inputs.

2. Hard-coded default namespace http://www.tempuri.org should not be used
-------------------------------------------------------------------------------

Hard-coded default namespace http://www.tempuri.org should not be used. The logic in this code allows for the possibility that this default namespace could be returned in two places.

==================
Recommendations
==================

Each XML Web Service needs a unique namespace in order for client applications to distinguish it from other services on the Web. By default, ASP.Net Web Services use http://tempuri.org/ for this purpose. While this suitable for XML Web Services under development, published services should use a unique, permanent namespace.

Your XML Web Service should be identified by a namespace that you control. For example, you can use your company's Internet domain name as part of the namespace. Although many namespaces look like URLs, they need not point to actual resources on the Web.

3. WebServices configured to communicate over cleartext http channel
--------------------------------------------------------------------------------------------
IBUYSPY.asmx configured to communicate over cleartext http channel which leads to data integrity and confidentiality issues (data is HBI).

File >>app.comfig, web.config, master.config

==================
Recommendations
==================
Configure IBUYSPY.asmx to communicate only over https.

4. Consuming Web Services using Basic Authentication
-------------------------------------------------------------------------------------------------------------
Consuming Web Services using Basic Authentication. This application consumes webservices using basic authentication for which a domain account is hardcoded in code. Also, since the web service is not under SSL, this is subject to network eavesdropping.

Code Excerpts:
--------------------------
service.Credentials = new System.Net.NetworkCredential (UserName, Password, Domain);
Files:- IBUYSPY\Callout\GetSystemUserInfo.cs
===============
Recommendation:
===============
-- Use Digest or NTLM.

5. Information disclosure through web-service files
------------------------------------------------------------------------------------------------------------------

The web service is configured to allow execution of the Documentation protocol, which when enabled provides the WSDL documentation with all the necessary information to communicate with the web service.
WSDL documentation reveals descriptive information about web services. Descriptive information such as that produced by appending? WSDL to a web services file (.asmx) may be considered an information leakage security risk when the web service is intended for private consumption only.

==================
Recommendations
==================

- Authorize access to WSDL files using NTFS permissions.
- Remove WSDL files from Web server.
- Disable the documentation protocols to prevent the dynamic generation of WSDL

Disable non required protocols, such as Documentation in the appropriate ASP.NET configuration file to prevent attackers from easily obtaining required syntax for interacting with the target web service. Ensure fix is implemented in production.
The following example shows the web Services configuration element added to a Web.config file to disable the automatic generation of browser-friendly documentation:

6. Unsafe methods exposed as WebMethod / web-services :
---------------------------------------------------------------------------------------------------------------------------------------
The web-methods allow the callers elevated privileges as the web-services uses a fixed identity without any impersonation and the identity is also a part of the power users group on the server.

Using these methods any user can download any file to which he does not have access to, and can execute any SP query and get access to data.

The following methods are unsafe:
GetFile (allows users unauthorized access to any file which can be accessed by the service account which belongs to power user group)
GetListContent, GetPromoListContent, GetListItemCount, ModifiyListItem,DeleteListItem, Eventlog

==================
Recommendations
==================

Remove the vulnerable methods
Restrict them with proper authorization and input validation controls

7. Configuration Error Brock - Default IUSR account used for web services
------------------------------------------------------------------------------
Brock - Default IUSR account used for web services
Rename default IUSR account or use other account for local web service. IUSR_BROCK account

8. Design Recommendation
----------------------------------------

Bicep.asmx and BV.asmx should not be hosted in the trusted domain, and must be hosted in the throw away domain. These two web services are at the core of the functionality, they interact with the back end system and when give page data return the translated pages. A malicious user can send requests to the SOAP APIs and cause the translation to occur in the domain. Although the translation needs to occur and the pages needs to be loaded using the process by Translate.js. However, it is possible to start a translation and then request the page ID from the SOAP API.

There is no known way to create SOAP requests from an external domain. However, as we have mentioned to segregate the trusted and untrusted data handlers, it is recommended to move these Web Services to the throw away domain as well.
NOTE: It is also recommended to put the physical path as a static server side parameter, instead of evaluating at run time, as there might be some future exploits against using HTTPContext Object.

Global.ascx
Line 12:

Statics.PhysicalServerPath = Context.Request.PhysicalApplicationPath;

==================
Recommendations
==================

This is used to dynamically load the binaries using kernel32.dll's LoadLibrary Native function.

9. Web service configured to use multiple communication protocols (ie. HttpGet, and HttpPost)
---------------------------------------------------------------------------------------------------
The web service permits HTTP-GET, HTTP-POST, and SOAP requests. If the web service uses SOAP messages, disable HTTP-GETs and HTTP-POSTs at a machine level(machine.config). To minimize the attack surface of the web service, disable those request methods not used by the web service.

==================
Recommendations
==================
Disable HTTP-GET and HTTP-POST if not required by the web service.

This can be achieved by disabling in machine.config.

In machine.config, the following is present by default:

So to disable HttpGet and HttpPost in machine.config, comment out the HttpPost and HttpGet lines

NOTE: If either of these communication protocols need to be enabled for other web services it is possible to add them back per web service in each web service's web.config file by creating a and adding support for these protocols with the and elements.

10. Web services send sensitive error messages to client
------------------------------------------------------------

This is a pervasive issue with the application. The web services do not send generic messages the thick client. This fix requires code level changes within the server component.

The recommended solution to preserve both data confidentiality and troubleshooting capabilities is to store detail application exceptions locally on the server while providing the user with a generalized error message.

11. Verbose Error Messages in: IBUYSPY webservices
-------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
In ALL the web methods exception handling is implemented this way:-
[WebMethod]
public IBUYSPY.Result ProcessChargeTransaction(string orderId, string serviceRequestNumber)
{
try
{
IBUYSPY.PaymentService PaymentService = new IBUYSPY.PaymentService();
IBUYSPY.Result omResult = PaymentService.ProcessCharge(orderId, serviceRequestNumber);

return Result;
}
catch (SoapException ex)
{
throw ex;
}
catch (Exception ex)
{
throw ex;
}

This will result in verbose error messages being returned to the end user in case of an exception.

==================
Recommendations
==================

Unless required by business, throw exceptions that include generic error messages.

12. Insufficient logging controls in IBUYSPY webservices
-------------------------------------------------------
The following web services will be called by different clients for charging/ refund etc.
From a logging perspective it is important to know exactly which client asked for the transaction for an order.

==================
Recommendations
==================
Authenticate the caller. Authorize to make sure the caller is allowed to call the service.
Once action is taken, log the caller's identity against the action taken. This is important for scenarios where the caller may later repudiate calling the service and taking the action.

b) Multi-tiered applications MUST track and push, from beginning to end, all information necessary to audit transactions. This MUST occur from the original connection to the system, through authentication and/or impersonation, to the end of the interaction.

Verified. The serial number of the client certificate used to authorize the caller has been logged as part of the call.

You can add me in Linked in contacts

2008-02-01T11:00:00.000-08:00

http://www.linkedin.com/pub/4/611/739

One more Security Blog which i started long back in 2004

2008-02-01T10:56:00.000-08:00

This blog is related to .NET Security

http://dotnetsecurity.blogspot.com/

My other Database security blogs

2008-02-01T10:52:00.000-08:00

Database realated security blog

http://sqlsecurity.blogspot.com/

About Me

2007-08-21T20:41:00.000-07:00

Protect Confidentiality, Integrity, and Availability of information and information systems. Advise and engineer secure solutions for business opportunities. Learn and experience, mentor and share.

The Three words are my part of daily calender.by now you understand what is my profession, i am security consultant.

Around Six years of overall IT experience for Fortune 100 Inc in which includes Three+ years of experience in Application Security. In depth knowledge of Appsec, Code Reviews, Design Reviews, Deployment reviews, Threat modeling, Risk Assessment.

Working ACE Team from past 3+ years and reviewed more then 100+ Enterprise Level applications with more then 4000+ man hours of Experience in Appsec.