Thursday, February 23, 2006

10 Immutable Laws of Security

  •  If an attacker can persuade you to run his program on your computer, it is not your computer anymore
     
  •  If an attacker can alter the operating system on your computer, it is not your computer anymore
     
  •  If an attacker has unrestricted physical access to your computer, it is not your computer anymore
     
  •  If you allow an attacker to upload programs to your Web site, it is not your Web site any more
     
  •  Weak passwords prevail over strong security
     
  •  A computer is only as secure as the administrator is trustworthy
     
  •  Encrypted data is only as secure as the decryption key
     
  •  Out-of-date antivirus software is only marginally better than no antivirus software at all
     
  •  Absolute anonymity is not practical in real life nor on the Web
     
  •  Technology is not a panacea

Source : Clinic 2801 // microsoftelearning.com

Friday, February 17, 2006

Attack code out for latest Microsoft flaw

Actually the heading should be Attack code out late for Microsoft flaw Why ? microsoft patched that flaw 2 days earlier cheers!

Two examples of computer code that exploit a flaw in Windows Media Player have become available only days after Microsoft released a patch to fix the bug.

The "proof-of-concept" exploits that take advantage of a flaw in the media player were posted on the Web over the past couple of days. The flaw, rated "critical" by Microsoft, could enable an attacker to seize control of a vulnerable computer system. The appearance of proof-of concept code is usually a sign that actual attacks are not far off. Microsoft, when it released its patch Tuesday, urged users to upgrade their systems as soon as possible.

Microsoft recently issued patch MS06-005 as part of its monthly security update. The vulnerability in Windows Media Player can compromise a system through malicious images embedded in the player.Versions of Windows Media Player affected by the bug include 7.1 through 10. The vulnerability was also tagged as "critical" by the French Security Incident Response Team, or FrSIRT, a research outfit that published one of the two exploits.

Microsoft announced the release of seven fixes on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer. It exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

Tuesday, February 14, 2006

Windows Defender Out!


wondering what is it ??? Its the transformation of microsoft antispyware (GAINT) to Beta2! so what are u waiting for ? install now! [25 million subscribers!] Microsoft will continue beta1 support till june’06

Here is a comparision chart of windows defender to other microsoft security software.

The New Face of Phishing !!!

Phishing is a difficult enough form of fraud to avoid for most computer users, but when some of the biggest names in the financial industry fail to do their part to detect and eliminate these online scams, consumers often are placed in an untenable situation.

Case in point: A source recently forwarded a link to one of the "best" phishing attacks I've ever seen. This one -- targeting the tiny Mountain America credit union in Salt Lake City, Utah -- arrives in an HTML-based e-mail telling recipients that their Mountain America credit union card was automatically enrolled in the Verified by Visa program, a legitimate security program offered by Visa that is supposed to provide "reassurance that only you can use your Visa card online."


The fake MountainAmerica.net Web site
 
The e-mail includes the first five digits of the "enrolled card," but those five digits are found on all Mountain America bank cards, so that portion of the scam is likely to be highly convincing for some recipients. The message directs readers to click on a link and activate their new Verified by Visa membership.

Now here's where it gets really interesting. The phishing site, which is still up at the time of this writing, is protected by a Secure Sockets Layer (SSL) encryption certificate issued by a division of the credit reporting bureau Equifax that is now part of a company called Geotrust. SSL is a technology designed to ensure that sensitive information transmitted online cannot be read by a third-party who may have access to the data stream while it is being transmitted. All legitimate banking sites use them, but it's pretty rare to see them on fraudulent sites.


The SSL Certificate issued to Mountain-America.net
 
Geotrust and other SSL issuers are supposed to do some basic due diligence to ensure that the entity requesting an SSL certificate is indeed authorized to request it on the company's behalf. In this case, however, it looks like that process fundamentally broke down. Once a user is on the site, he can view more information about the site's security and authenticity by clicking on the padlock located in the browser's address field. Doing so, I was able to see that the certificate was issued by Equifax Secure Global eBusiness CA-1.

The certificate also contains a link to a page displaying a "ChoicePoint Unique Identifier" for more information on the issuee, which confirms that this certificate was issued to a company called Mountain America that is based in Salt Lake City (where the real Mountain America credit union is based.)

Choicepoint is a data aggregator that bills itself as "the nation's leading provider of identification and credential verification services." When Geotrust issues a certificate, Choicepoint provides a unique identifier -- an alphanumeric identifier that is supposed to be linked to a "corporate profile" that people can use to learn more about the recipient of that certificate. However, the profile page on this particular phishing site didn't have any more information than was already included in the rest of the certificate, including the company's name, city and state of incorporation, and the company's Web site (in this case, the profile refers to the phishing site's address.) It's unclear to me how the unique identifier adds anything that is of use to the person trying to verify the legitimacy of a Web site.


ChoicePoint's "Unique Global Business Record" for Mountain-America.net
 
I put a call in to the Geotrust folks. Ironically, a customer service representative said most of the company's managers are presently attending a security conference in Northern California put on by RSA Security, the company that pretty much wrote the book on SSL security and whose encryption algorithms power the whole process. When I hear back from Geotrust, I'll update this post.

The error page generated by Visa.com
 
Back to the Verified by Visa program. Users who get the phishing e-mail described above -- or any genuine communications prompting them to visit the Visa site -- might think they're being sent to another fraudulent Web site. First off, the Visa site asks users to enter their credit card number. Then there's the fact that when I clicked on any of the links on the Verified by Visa site, I received "Page not found" errors.

The site has finally been shutdown!, thanks to the hard work of the folks at the SANS Internet Storm Center, who first spotted this scam.

Also, I heard back from Geotrust. Joan Lockhart, the company's vice president of marketing, said the site was registered on Sunday and the cert was issued early this morning. Lockhart said Geotrust has a rigorous process in place to check for phishy certificate requests that relies on algorithms which check cert requests for certain words, misspellings or phrases that may indicate a phisher is involved. In this case, she said, the technology did not flag the request because there was nothing in the Internet address to indicate the site was at all related to a financial institution.

Geotrust's cert verification process is largely automated: when someone requests a cert for a particular site, the company sends an e-mail to the address included in the Web site's registrar records, along with a special code that the recipient needs to phone in to complete the process.

Lockhart said she doubted that inserting a human into that process would have flagged the account as suspicious.

"I would argue that probably anyone who is processing mountain-america.net would not have raised flags," she said.

Source: Brain Krebs

Sunday, February 12, 2006

NEWS: Critical Bugs Sting Lotus Notes

Some of the six holes can allow attackers to hijack corporate systems even if users only view incoming e-mail.

Six critical vulnerabilities have been found in IBM's Lotus Notes, Big Blue and security firms announced Friday, including some that could allow attackers to hijack corporate systems if users simply viewed incoming e-mail.

Danish vulnerability tracker Secunia, which discovered the half-dozen bugs, tagged them as "Highly critical," its second-from-the-top alert rating, and said that some of the flaws would create buffer overflows, normally the only entry hackers need to start dropping their own code onto a compromised computer.

Some of the vulnerabilities, said Secunia, can be exploited if users only view malicious e-mails, while others require users to open attachments or extract files from a zipped file attached to a message. Several versions of Notes are at risk, including 7.0 and 6.5.4. Upgrading Notes to 6.5.5 or 7.0.1 solves the problem, said IBM.

"In general, users are strongly urged to use caution when opening or viewing unsolicited file attachments," IBM also recommended in its advisory. IBM offered up work-arounds for customers unable to patch immediately, but they required users or administrators to disable a number of DLLs.

The last bugs to hit Notes were a handful in early January, when IBM itself acknowledged that the e-mail system and its client were open to denial-of-service (DoS) attacks.

Friday, February 10, 2006

Security In Visual Studio

Security considerations should be included in all aspects of your application development, from design to deployment.

To help you effectively develop secure applications, you should have a fundamental understanding of security concepts and the security features of the platforms for which you develop. You should also have an understanding of secure coding techniques.

Understanding Security
Security in the .NET Framework

Describes .NET Framework code access security, role-based security, security policy, and security tools.

Defend Your Code with Top Ten Security Tips Every Developer Must Know (Click here)

Describes the really important issues you should watch out for so that you don't compromise your data or your system.

Coding for Security

Most coding errors that result in security vulnerabilities occur because developers make invalid assumptions when working with user input or because they do not fully understand the platform for which they are developing.

Security Policy Best Practices

Describes the .NET Framework security system recommended best practices you may need to consider in your code.

Secure Coding Guidelines

Provides guidelines for classifying your components to address security issues.

Security Best Practices for C++

Discusses buffer overruns and the complete picture of the Microsoft Visual C++ security checks feature provided by the /GS compile-time flag.

Wednesday, February 08, 2006

Windows OneCare Pricing...

Prices are out for windows one care and the offers are kooler than expected. Microsoft Windows OneCare Live will be available in June from retailers and via the Web for an annual subscription of $49.95 for up to three personal computers. To thank its valuable beta customers (like me ;) ) and offer an easy transition to the paid service, Microsoft also announced a promotional deal offering the first year of Windows OneCare Live service for $19.95 to beta customers who become subscribers between April 1 and April 30, 2006.

OneCare is now available free to all new beta testers, at http://ideas.live.com, its a must try!!!

 

 

 

 

discontinued
PRODUCT DISCONTINUED!
Windows Live OneCare is no longer available for sale!
Looking for a Microsoft Solution to try goto:
Microsoft Security Essentials a FREE anti-malware solution.

Tuesday, February 07, 2006

Secure Coding Guidelines

Evidence-based security policy and code access security provide very powerful, explicit mechanisms to implement security. Most application code can simply use the infrastructure implemented by the .NET Framework. In some cases, additional application-specific security is required, built either by extending the security system or by using new ad hoc methods.

Using the .NET Framework-enforced permissions, and other enforcement in your code, you should erect barriers to prevent malicious code from obtaining information that you do not want it to have or performing other undesirable actions. Additionally, you must strike a balance between security and usability in all the expected scenarios using trusted code.

Goto Page.

Monday, February 06, 2006

Windows OneCare Review

Windows OneCare Live I have been testing / playing / using OneCare for few months now, so decided to jot down a small review! hope this helps u decide what's best! Windows OneCare (still a beta) is works great and has tons of features and with many features being added on. This one is aims high for the record! Integrated Antivirus, Firewall, Defragger, Backup solutions and many more to come the best thing of all is the service is not a resource hungry u wont even notice any or much of difference at all. i tested it along with other antivirus tools and guess what very few interfere with its functioning others are probably happy to find OneCare around. what i mean is u can have Antivir / avg / avast / ez Antivirus ( parallel / along ) with OneCare and no problems they would work in harmony and still u will not notice a load on ur system, And for those who are wondering if its antivirus is good enough? think again OneCare can pretty much detect all the viruses around and protect ur system. best feature is its security level indicator and security advisories and updates. it will update missing security updates to make ur system strong! Pops up security advisories too, so as u can take necessary precautions and guess what will be the price of it once its public ? no its not that costly like Norton or MCAfee AV's in-fact its going to be the cheapest! news has it that its going to be around 50$ very affordable and guess what if u have been beta testing it u would get 60% discount too :) One more thing u will be buying OneCare as product licence not as a version product i.e., once u buy its gonna update itself add new modules add virus definitions tools all no charge as its an yearly license now that's a double thumbs-up! else like other antivirus software's u would need to pay more every-time a new version is released and the companies slowly stop service to old versions sorry no tactics here with OneCare this shows Microsoft really put out this product keeping user in mind not the money! I would really love OneCare to be free like Microsoft Antispyware but with a product like this its going to be a worthy investment to keep ur system fit and fine.

What should OneCare have: It would be kool if OneCare cud integrate Microsoft Antispyware to show in one interface easier to user but who knows by the time OneCare is out in market it mite have everything integrated to one. a registry cleaner to add in OneCare tools would be great Add-In! a safe viewer like red-wall for outlook attachments safe viewing would be gr8!. Hope to see these features in its release.
 

discontinued
PRODUCT DISCONTINUED!
Windows Live OneCare is no longer available for sale!
Looking for a Microsoft Solution to try goto:
Microsoft Security Essentials a FREE anti-malware solution.

Thursday, February 02, 2006

HTTPS Security Improvements in Internet Explorer 7

HTTPS uses encryption to secure your Internet traffic to protect it from snooping or tampering by others on the network. HTTPS uses either the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocols to protect data.

In order to improve security and add new functionality, changes have been made to the HTTPS implementation in Windows Internet Explorer 7. New protocol defaults in IE7 reduce the likelihood of someone taking advantage of configuration or protocol weaknesses to intercept or modify Web traffic transferred using the HTTPS protocol. New error pages provide a simplified user experience which helps to mitigate social-engineering and phishing attacks.

Read More.