Javier Echaiz Security

Technology News: Exploits & Vulnerabilities: Internet Explorer Flaw Lets Hackers Into the Cookie Jar

noreply@blogger.com (JaviZ) — Mon, 30 May 2011 02:09:00 +0000

By Richard Adhikari

TechNewsWorld
05/27/11 5:00 AM PT

Security researcher Rosario Valotta has apparently discovered a vulnerability in Microsoft's Internet Explorer that could be used to install malware and forge clicks. The so-called cookiejacking attack involves figuring out the victim's Windows username, knowing which version of Windows the victim is running and tricking the user into selecting the entire content of the stolen cookie.

Use your mobile phone for secure Web sign-ins | Workers' Edge - CNET News

noreply@blogger.com (JaviZ) — Mon, 30 May 2011 02:06:00 +0000

Use your mobile phone for secure Web sign-ins | Workers' Edge - CNET News

by Dennis O'Reilly (May 29th)

In the battle to protect our data, passwords are the first line of defense. Unfortunately, passwords are a pain to manage.

Read more: http://news.cnet.com/8301-13880_3-20066990-68.html#ixzz1NnUqsOuL

The Best Web Apps and Online Services: Get the Most Out of the Cloud | PCWorld

noreply@blogger.com (JaviZ) — Mon, 30 May 2011 01:57:00 +0000

By using Web-based applications and storing your files online, you can work from anywhere, on any device, for next to nothing.

By Robert Strohmeyer, PCWorld May 29, 2011 10:00 pm

XSS and the NASA (NA_XSS_A?)

noreply@blogger.com (JaviZ) — Tue, 02 Mar 2010 22:49:00 +0000

I was on http://winds.jpl.nasa.gov/imagesAnim/quikscat.cfm when I found this:

http://winds.jpl.nasa.gov/imagesAnim/images.cfm?pageName=ImagesAnim&subPageName=QuikSCAT&Image=QS_S1B28865%22%3E%3Cscript%3Ealert%28/XSS/%29%3C/script%3E

OMG! NASA? Yep... Even when you assume security is a must @ sites like NASA, there are (some) insecurities! As you can see Image was not sanitized (as it should have been! :)

I did some more tests on another NASA site (http://sbir.gsfc.nasa.gov):

We can list some directories:
http://sbir.gsfc.nasa.gov/sbirweb/search/

And we can see another XSS vulnerability:
http://sbir.gsfc.nasa.gov/sbirweb/search/searchResults.jsp?st=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

ok, there is no more fun with NASA.

Why I'm posting this? I'm sure people at NASA already know it... Now I will googe a bit b4 posting. Yep! I've found http://hackingethics.wordpress.com/2010/02/15/xss-in-nasa-and-sql-injection-in-pentagon/ (and other links)

well, It seems I can post this... Someone wants to look for vulnerabilities at Pentagon? Spare time? Where are You when I need You?

Microsoft, Aurora and something about forest and trees?

noreply@blogger.com (JaviZ) — Sat, 30 Jan 2010 04:18:00 +0000

Perhaps it is the fine tequila this evening, but I really don't get how our industry can latch on to the recent 'Aurora' incident and try to take Microsoft to task about it. The amount of news on this has been overwhelming, and I will try to very roughly summarize:

News surfaces Google, Adobe and 30+ companies hit by "0-day" attack

Google uses this for political overtones

Originally thought to be Adobe 0-day, revealed it was MSIE 0-day

Jan 14, confirmed it is MSIE vuln, shortly after dubbed "aurora"

Jan 21, uproar over MS knowing about the vuln since Sept

Now, here is where we get to the whole forest, trees and some analogy about eyesight. Oh, I'll warn (and surprise) you in advance, I am giving Microsoft the benefit of the doubt here (well, for half the blog post) and throwing this back at journalists and the security community instead. Let's look at this from a different angle.

The big issue that is newsworthy is that Microsoft knew of this vulnerability in September, and didn't issue a patch until late January. What is not clear, is if Microsoft knew it was being exploited. The wording of the Wired article doesn't make it clear: "aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies" and "Microsoft confirmed it learned of the so-called 'zero-day' flaw months ago". Errr, nice wording. Microsoft was aware of the vulnerability (technically), before hackers exploited it, but doesn't specifically say if they KNEW hackers were exploiting it. Microsoft learned of the "0-day" months ago? No, bad bad bad. This is taking an over-abused term and making it even worse. If a vulnerability is found and reported to the vendor before it is exploited, is it still 0-day (tree, forest, no one there to hear it falling)?

Short of Microsoft admitting they knew it was being exploited, we can only speculate. So, for fun, let's give them a pass on that one and assume it was like any other privately disclosed bug. They were working it like any other issue, fixing, patching, regression testing, etc. Good Microsoft!

Bad Microsoft! But, before you jump on the bandwagon, bad journalists! Bad security community!

Why do you care they sat on this one vulnerability for six months? Why is that such a big deal? Am I the only one who missed the articles pointing out that they actually sat on five code execution bugs for longer? Where was the outpour of blogs or news articles mentioning that "aurora" was one of six vulnerabilities reported to them during or before September, all in MSIE, all that allowed remote code execution (tree, forest, not seeing one for the other)?
CVE Reported to MS Disclosed Time to Patch
CVE-2010-0244 2009-07-14 2010-01-21 6 Months, 7 Days (191 days)
CVE-2010-0245 2009-07-14 2010-01-21 6 Months, 7 Days (191 days)
CVE-2010-0246 2009-07-16 2010-01-21 6 Months, 5 Days (189 days)
CVE-2010-0248 2009-08-14 2010-01-21 5 Months, 7 days (160 days)
CVE-2010-0247 2009-09-03 2010-01-21 4 Months, 18 days (140 days)
CVE-2010-0249 2009-09-?? 2010-01-14 4 Months, 11 days (133 days) - approx
CVE-2010-0027 2009-11-15 2010-01-21 2 Months, 6 days (67 days)
CVE-2009-4074 2009-11-20 2009-11-21 2 Months, 1 day (62 days)

Remind me again, why the "Aurora" conspiracy is noteworthy? If Microsoft knew of six remote code execution bugs, all from the September time-frame, why is one any more severe than the other? Is it because one was used to compromise hosts, detected and published in an extremely abnormal fashion? Are we actually trying to hold Microsoft accountable on that single vulnerability when the five others just happened not to be used to compromise Google, Adobe and others?

Going back to the Wired article, they say on the second to last paragraph: "On Thursday, meanwhile, Microsoft released a cumulative security update for Internet Explorer that fixes the flaw, as well as seven other security vulnerabilities that would allow an attacker to remotely execute code on a victim's computer." Really, Wired? That late in the article, you gloss over "seven other vulnerabilities" that would allow remote code execution? And worse, you don't point out that Microsoft was informed of five of them BEFORE AURORA?

Seriously, I am the first one to hold Microsoft over the flames for bad practices, but that goes beyond my boundaries. If you are going to take them to task over all this, at least do it right. SIX CODE EXECUTION VULNERABILITIES that they KNEW ABOUT FOR SIX MONTHS. Beating them up over just one is amateur hour in this curmudgeonly world.

Source: OSVDB.org.

BackTrack 4 Final Release

noreply@blogger.com (JaviZ) — Sat, 30 Jan 2010 03:58:00 +0000

Taken from the new BackTrack Site : BackTrack 4 Final is out and along with this release come some exciting news, updates, and developments. BackTrack 4 has been a long and steady road, with the release of abeta last year, we decided to hold off on releasing BackTrack 4 Final until it was perfected in every [...]

http://www.offensive-security.com/blog/backtrack/backtrack-4-final-release/

You can download BT4 from here.

132,000+ sites Compromised Via SQL Injection

noreply@blogger.com (JaviZ) — Sun, 13 Dec 2009 15:20:00 +0000

Net-Security has posted an article on the discovery of 132k+ sites that have been SQL Injected. From the article

"A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009."

The google search query string is here.

Unintentional Insider Attacks

noreply@blogger.com (JaviZ) — Thu, 26 Nov 2009 10:02:00 +0000

In this week’s Cyber Risk Report, we noted a recent article on CSO Online that mentions a rise in internal security incidents that are caused unintentionally or non-maliciously by employees. Employees, especially younger ones that have a lifelong connection to computers and the Internet, are becoming more involved with technologies and Internet resources in the workplace. As a result, companies are finding that their security policies, and in some cases their perimeters, are being breached by workers who are determined to access files, media, websites, or communities that are considered off-limits. Organizations and their security teams are challenged by the rise in disobedience and disdain for established policy. How can they be stopped?

They can’t.

User access control is a grand paradox for computer security. Data is useless without access, and access is impossible without some user to control a system or at least to maintain it. Wherever there is human interaction with a computer, there is a potential for the user to bend, stretch, or break their permissions to do things that they are not supposed to do. Technical controls can certainly be established, but even the most stringent controls like DRM can be broken. Portable electronics are growing smaller every day, and cell phones are some of the most versatile pieces of equipment for a determined attacker. Cameras, Internet access, and even custom applications make today’s phones a nightmare for a controlled environment. And even low-tech attacks like remembering information and writing it down on paper can cause information to leak out of an organization. There is simply no way to stop a user from abusing their rights.

Controls for human factors, therefore, are not rigid like technical controls. Organizations must set boundaries and guidelines that are not seen as overly restrictive. Any time a user feels as if their purpose (whether their personal goals or their occupational ones) is hindered, there is risk that they will put themselves above the corporation. If an employee in Sales needs to access a video of a competitor’s presentation from a public site that is banned by corporate policy, she might circumvent controls to ensure she can meet her quota. If a network administrator needs to troubleshoot a problem across a range of devices in an area, he might install a rogue wireless access point to connect his laptop to the network in order to make the job go faster and save the company money from his lost productivity.

The best way to ensure that controls are not seen as overly restrictive is to generate awareness and training around them. Whenver possible, not setting arbitrary controls is also effective. Users must understand why they are being denied something that they could see as important to their work, and they must buy into the idea presented by the company. Alternative options will also help employees feel like they have a way to get the required work done without compromising things that the corporation feels need to be strongly protected.

Discipline is also important. Not only must the punishment for infringement fit the infraction, but it must be consistently applied. Nothing irks a subordinate more than to see their superiors able to use political clout to thwart the same controls that they must abide by. Pervasive unfair treatment of security policies can quickly lead to someone breaking the rules just to feel that balance has been restored.

And finally, monitoring and management of information brings a technical control to bear on human problems. Instead of actually limiting use, monitoring just ensures that the right kind of information is flowing, that excessive quantities of data aren’t being shipped to a competitor, or that resources aren’t being hoarded by the videos that are watched by just a few employees. Network situational awareness will lead to an organization that is able to permit actions and monitor them, rather than forbid actions and drive them into dark recesses or side channels that cannot be monitored. Combined with a fair and accessible acceptable use policy, organizations can succeed by cooperating with users instead of working against them.

Original article.

Improper Input Handling

noreply@blogger.com (JaviZ) — Thu, 22 Oct 2009 19:03:00 +0000

Improper input handling is one of the most common weaknesses identified across applications today. Poorly handled input is a leading cause behind critical vulnerabilities that exist in systems and applications.
Generally, the term input handing is used to describe functions like validation, sanitization, filtering, encoding and/or decoding of input data. Applications receive input from various sources including human users, software agents (browsers), and network/peripheral devices to name a few. In the case of web applications, input can be transferred in various formats (name value pairs, JSON, SOAP, etc...) and obtained via URL query strings, POST data, HTTP headers, Cookies, etc... Non-web application input can be obtained via application variables, environment variables, the registry, configuration files, etc... Regardless of the data format or source/location of the input, all input should be considered untrusted and potentially malicious. Applications which process untrusted input may become vulnerable to attacks such as Buffer Overflows, SQL Injection, OS Commanding, Denial of Service just to name a few.

Improper Input Validation

One of the key aspects of input handling is validating that the input satisfies a certain criteria. For proper validation, it is important to identify the form and type of data that is acceptable and expected by the application. Defining an expected format and usage of each instance of untrusted input is required to accurately define restrictions.

Validation can include checks for type safety and correct syntax. String input can be checked for length (min & max number of characters) and character set validation while numeric input types like integers and decimals can be validated against acceptable upper and lower bound of values. When combining input from multiple sources, validation should be performed during concatenation and not just against the individual data elements. This practice helps avoid situations where input validation may succeed when performed on individual data items but fails when done on a combined set from all the sources [11].

Client-side vs Server-side validation

A common mistake most developers make is to include validation routines in the client-side of an application using JavaScript functions as a sole means to perform bound checking. Validation routines are beneficial on the client side but are not intended to provide a security feature as all data accessible on the client side is modifiable by a malicious user or attacker. This is true of any client-side validation checks in JavaScript and VBScript or external browser plug-ins such as Flash, Java, or ActiveX. The HTML5 specification has added a new attribute "pattern" to the INPUT tag that enables developers to write regular expressions as part of the markup for performing validations [29]. This makes it even more convenient for developers to perform input validation on the client side without having to write any extra code. The risk from such a feature becomes significant when developers start using it as the only means of performing input validation for their applications. Relying on client-side validation alone in not a safe practice. It gives a false sense of security to many developers since client-side validations can easily be evaded by malicious entities. It is important to note that while client-side validation is great for UI and functional validation, it isn't a substitute for server-side validation. Performing validation on the server side ensures integrity of your validation controls. In addition, the server-side validation routine will always be effective irrespective of the state of JavaScript execution on the browser. As a best practice input validation should be performed both on the client side as well as on the server side.

Improper Input Sanitization and Filtering

Sanitization of input deals with transforming input to an acceptable form where as filtering deals with blocking/allowing all or part of input that is deemed unacceptable/acceptable respectively. Sanitization and filtering typically is implemented in addition to input validation.

Weak sanitization and/or filtering can lead an attacker to evade such mechanisms and supply malformed and/or malicious input to the application. The "attacks" section of this document describes SQL Injection and Buffer Overflow attacks which are a direct effect of missing or weak filtering/sanitization.

Input Sanitization

Input sanitization can be performed by transforming input from its original form to an acceptable form via encoding or decoding. Common encoding methods used in web applications include the HTML entity encoding and URL Encoding schemes. HTML entity encoding serves the need for encoding literal representations of certain meta-characters to their corresponding character entity references. Character references for HTML entities are pre-defined and have the format &name; where "name" is a case-sensitive alphanumeric string. A common example of HTML entity encoding is where "<" is encoded as < and ">" encoded as > . Refer to [1] for more information on character encodings. URL encoding applies to parameters and their associated values that are transmitted as part of HTTP query strings. Likewise, characters that are not permitted in URLs are represented using their Unicode Character Set code point value, where each byte is encoded in hexadecimal as "%HH". For example, "<" is URL-encoded as "%3C" and "ÿ" is URL-encoded as "%C3%BF".

There are many ways in which input can be presented to an application. With web applications and browsers supporting more than one character encoding types, it has become a common place for attackers to try and exploit inherent weaknesses in encoding and decoding routines. Applications requiring internationalization are a good candidate for input sanitization. One of the common forms of representing international characters is Unicode [18]. Unicode transformations use the UCS (Universal Character Set) which consist of a large set of characters to cover symbols of almost all the languages in the world. The table below, taken from [21], shows a set of samples with different characters from UCS that are visually similar in representation to ASCII characters "s", "o", "u" and "p". From the most novice personal computer user to the most seasoned security expert, rarely does an individual inspect every character within a Unicode string to confirm its validity. Such misrepresentation of characters enables attackers to spoof expected values by replacing them with visually or semantically similar characters from the UCS.

s	ｓ	ѕ	Ⴝ	Ｓ	Ѕ	Ϩ
0073	FF53	0455	10BD	FF33	0405	03E8
o	ο	о	ｏ	º	ﾷ	ѻ
006F	03BF	043E	FF4F	00BA	FFB7	047B
u	⊔	υ	⋃	∪	Ĳ	ṵ
0075	2294	03C5	22C3	222A	0132	1E75
p	р	ｐ	ƿ	ρ	ק	Р
0070	0440	FF50	01BF	03C1	05E7	0420

Note that although the characters have a similar visual representation, they all carry a different hexadecimal code that uniquely maps to UCS. Additional information on character encoding types and output handling can be found at [22].

Canonicalization

Canonicalization is another important aspect of input sanitization [20]. Canonicalization deals with converting data with various possible representations into a standard "canonical" representation deemed acceptable by the application. One of the most commonly known application of canonicalization is "Path Canonicalization" where file and directory paths on computer file systems or web servers (URL) are canonicalized to enforce access restrictions. Failure of such canonicalization mechanism can lead to directory traversal or path traversal attacks [24]. The concept of canonicalization is widely applicable and applies equally well to Unicode and XML processing routines.

The first major Unicode vulnerability was documented against Microsoft Internet Information Server (IIS) in October 2000 [12]. This vulnerability allowed attackers to encode "/", "\" and "." characters to appear as their Unicode counterparts and bypass the security mechanisms within IIS that block directory traversal. In another example, a vulnerability discovered in Google perfectly illustrates the significance of character encoding [13]. The vulnerability stated in this example exploits lack of consistency in character encoding schemes across the application. While expecting UTF-8 [14] encoded characters, the application fails to sanitize and transform input supplied in the form on UTF-7 [15] leading to a Cross-site scripting attack. Additional examples can be found at [16] and [17]. As mentioned earlier, applications that are internationalized have a need to support multiple languages that cannot be represented using common ISO-8859-1 (Latin-1) character encoding. Languages like Chinese, Japanese use thousands of characters and are therefore represented using variable-width encoding schemes [18]. Improperly handled mapping and encoding of such international characters can also lead to canonicalization attacks [19].

Based on input and output handling requirements, applications should identify acceptable character sets and implement custom sanitization routines to process and transform data specific to their needs. Additional information on outputting data in international applications can be found at [22].

Input Filtering

Input Filtering is a decision making process that leads either to the acceptance or the rejection of input based on predefined criteria. In its most basic form, input filtering deals with matching or comparing an input data stream with a predefined set of characters to determine acceptability. Acceptable input is passed forward for processing and unwanted characters are blocked thus preventing the application from processing unrecognized and potentially malicious input. There are two major approaches to input filtering [2]:

Whitelist - Allowing only the known good characters. E.g. a-z,A-Z,0-9 are known good characters in the whitelist and are hence accepted by the filter
Blacklist - Allowing anything except the known bad characters. E.g. <,/,> are known bad characters in the blacklist and are hence blocked by the filter

There are advantages and disadvantages to both approaches. Blacklist based filtering is widely used as it is fairly easy to implement, but offers protection only from known threats. Characters in a blacklist can be modeled to evade filtering as the filter only blocks known bad characters; an attacker can specially craft an attack to avoid those specific characters. Researchers have demonstrated several ways of evading blacklist based filtering approaches. The XSS cheat sheet [7] and SQL cheat sheet [8] are classic examples of how filter evasion techniques can be used against blacklist based approaches. Both Mitre [9] and NVD [10] host several advisories describing vulnerabilities due to poor blacklist filtering implementations.

Whitelist based filtering is often more difficult to implement properly. Although proven efficient with virus and malware protection techniques, it can be difficult to compile a list of all good input that a system can accept.

Input validation, sanitization and filtering requirements apply equally to elements beyond web application code. Web application infrastructure components like web servers and proxies that handle web application requests and responses have been shown to be vulnerable to attacks caused due to weak input validation of HTTP request/response headers. Some examples include HTTP Response Splitting [25], HTTP Request Smuggling [26], etc...

A common approach to perform input filtering, validation and sanitization is through the use of a regex (Regular Expressions) [23]. Regular Expressions provide a concise and flexible means of identifying patterns in a given data set. Many ready-made regular expressions that deal with common input/output related attacks such as SQL Injection [4], OS Commanding [5] and Cross-Site Scripting [27] are available on the Internet. While these regular expressions may be simple to copy into an application, it is important for developers using them to ensure they are evaluating the requirements for their expected input streams.

Commercial companies like Microsoft and open source communities like OWASP have ongoing efforts to provide protection tools against some of the common attacks mentioned above. Microsoft's Anti Cross-Site Scripting Library [28] not only guides its users and developers with putting measures in place to thwart cross-site scripting attacks, but also provides insight into alternatives for proper input and output encoding where its library routines may not apply. OWASP's ESAPI project [6] provides guidelines and primary defenses against SQL Injection attacks. It also provides details on database specific SQL escaping requirements to help escape/encode user input before concatenating it with a SQL query. SQL escaping, as advocated in EASPI, uses DBMS character escaping schemes to convert input that can be characterized by the SQL engine as data instead of code.

Common examples of attacks due to Improper Input Handling

Buffer Overflow

The length of the source variable input is not validated before being copied to the destination dest_buffer. The weakness is exploited when the size of input (source) exceeds the size of the dest_buffer(destination) causing an overflow of the destination variable's address in memory.

void bad_function(char *input)

char dest_buffer[32];

strcpy(dest_buffer, input);

printf("The first command line argument is %s.\n", dest_buffer);

int main(int argc, char *argv[])

if (argc > 1)

bad_function(argv[1]);

else

printf("No command line argument was given.\n");

return 0;

See [3] for more on this and similar attacks.

SQL Injection

The sample code below shows a SQL query used by a web application authentication form.

SQLCommand = "SELECT Username FROM Users WHERE Username = '"

SQLCommand = SQLComand & strUsername

SQLCommand = SQLComand & "' AND Password = '"

SQLCommand = SQLComand & strPassword
SQLCommand = SQLComand & "'"
strAuthCheck = GetQueryResult(SQLQuery)

In this code, the developer combines the input from the user, strUserName and strPassword, with the existing SQL statement's structure. Suppose an attacker submits a login and password that looks like the following:

Username: foo

Password: bar' OR ''='

The SQL command string built from this input would be as follows:

SELECT Username FROM Users WHERE Username = 'foo'

AND Password = 'bar' OR ''=''

This query will return all rows from the user's database, regardless of whether "foo" is a real user name or "bar" is a legitimate password. This is due to the OR statement appended to the WHERE clause. The comparison ''='' will always return a "true" result, making the overall WHERE clause evaluate to true for all rows in the table. If this is used for authentication purposes, the attacker will often be logged in as the first or last user in the Users table.

See [4] for more information on this and other variants of SQL Injection attack

OS Commanding

OS Commanding (command injection) is an attack technique used for unauthorized execution of operating system commands. Improperly handled input from the user is one of the common weaknesses that can be exploited to run unauthorized commands. Consider a web application exposing a function showInfo() that accepts parameters name and template from the user and opens a file based on this input

Example: http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt

Due to improper or non-existent input handling, by changing the template parameter value an attacker can trick the web application into executing the command /bin/ls or open arbitrary files.

Attack Example:

http://example/cgi-bin/showInfo.pl?name=John&template=/bin/ls|

See [5] for more on this and other variants of OS commanding or Command Injection attack

References

Character encodings in HTML

[1] http://en.wikipedia.org/wiki/Character_encodings_in_HTML

Secure input and output handling

[2] http://en.wikipedia.org/wiki/Secure_input_and_output_handling

Buffer Overflow

[3] http://projects.webappsec.org/Buffer-Overflow

SQL Injection

[4] http://projects.webappsec.org/SQL-Injection

OS Commanding

[5] http://projects.webappsec.org/OS-Commanding

OWASP ESAPI

[6] http://www.owasp.org/index.php/ESAPI

XSS Cheat Sheet

[7] http://ha.ckers.org/xss.html

SQL Cheat Sheet

[8] http://ha.ckers.org/sqlinjection/

CVE at Mitre

[9] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=blacklist

National Vulnerability Database

[10] http://nvd.nist.gov/

CWE-20: Improper Input Validation

[11] http://cwe.mitre.org/data/definitions/20.html

Microsoft IIS Extended Unicode Directory Traversal Vulnerability

[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884

Google XSS Vulnerability

[13] http://shiflett.org/blog/2005/dec/googles-xss-vulnerability

Unicode/UTF-8

[14] http://en.wikipedia.org/wiki/UTF-8

Unicode/UTF-7

[15] http://en.wikipedia.org/wiki/UTF-7

Widescale Unicode Encoding Implementation Flaw Discovered

[16] http://www.cgisecurity.com/2007/05/widescale-unico.html

Unicode Left/Right Pointing Double Angel Quotation Mark

[17] http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html

Variable width encoding schemes

[18] http://en.wikipedia.org/wiki/Variable-width_encoding

Canonicalization, locale and Unicode

[19] http://www.owasp.org/index.php/Canoncalization,_locale_and_Unicode

Canonicalization

[20] http://en.wikipedia.org/wiki/Canonicalization

The Methodology and an application to fight against Unicode attacks

[21] http://cups.cs.cmu.edu/soups/2006/proceedings/p91_fu.pdf

Improper Output Handling

[22] http://projects.webappsec.org/Improper-Output-Handling

Regular Expressions

[23] http://en.wikipedia.org/wiki/Regular_expression

Path Traversal

[24] http://projects.webappsec.org/Path-Traversal

HTTP Response Splitting

[25] http://projects.webappsec.org/HTTP-Response-Splitting

HTTP Request Smuggling

[26] http://projects.webappsec.org/HTTP-Request-Smuggling

Cross Site Scripting

[27] http://projects.webappsec.org/Cross-Site-Scripting

Microsoft Anti-Cross Site Scripting Library V3.0

[28] http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en

HTML 5 "pattern" attribute

[29] http://www.w3.org/TR/html5/forms.html#the-pattern-attribute

Original here.

Brief: Firefox feature looks to foil XSS attacks

noreply@blogger.com (JaviZ) — Sat, 03 Oct 2009 18:52:00 +0000

The Mozilla Foundation released on Wednesday a preview version of the Firefox browser that implements a technology to protect against scripting attacks.

The technology, known as Content Security Policy, allows Web sites to specify restrictions on how they handle scripts. Using CSP, a Web site can create a white list of sites from which the browser should accept scripts as well as mandate that the scripts are labeled as applications and are not obfuscated. A number of other features are also available, all aiming to prevent malicious scripts from executing in the context of the current site.

The preview does not implement the entire specification, and Mozilla is looking for testers and feedback, Brandon Sterne, security program manager for Mozilla stated in Wednesday's blog post.

"Please be aware that there are still a few rough spots," Sterne said. "The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec."

Content Security Policy is based on recommendations made by Robert "rsnake" Hansen back in 2005. Most browsers treat all scripts the same, executing in the context of the current site, no matter where they originated. The defacto policy is what allowed untrusted ads on The New York Times site to recently serve up malicious software to visitors and allowed the Samy and other Web worms to spread. Content Security Policy allows sites to tell browsers which scripts should be allowed as well as additional restrictions on scripting.

Mozilla has created a demo page for security researchers who want to see content security policy in action.

Source: securityfocus.

Social Engineering at its best

noreply@blogger.com (JaviZ) — Fri, 02 Oct 2009 10:39:00 +0000

In conjunction with a team of social engineers, penetration testers and information security experts, www.social-engineer.org is opening its “virtual” doors today.

The team at Offensive Security has been working with many contributors and specialists to put together the Webs Official Framework for Social Engineering.

www.social-engineer.org will house an ever growing framework for social engineering as well tools, how-to’s, informational reviews and podcasts all geared at helping security minded professionals enhance their awareness and knowledge in the field of social engineering. Join us at http://www.social-engineer.org for more info.

source: OffensiveSecurity.

Tricks with Google!

noreply@blogger.com (JaviZ) — Sat, 26 Sep 2009 18:05:00 +0000

This write up is nothing related to Information Security. But, it is good to know information for. There are three tricks in all:

1. FastFlip through articles: Google recently launched a new service: FastFlip, which can help you read online pages just as you flip through a magazine. These pages are indexed by the Google bot from many Google partner websites and presented to you for a quick read. You also have an option to choose the stuff you read by logging in to your account and customizing the application.

FastFlip can be found here.

2. Play Monopoly with Google Maps: This can be a leisure activity on those days when you do not have anything that’s fun to do. So, Google has teamed up with the worlds largest Monopoly board game manufacturer (!), so that you can use Google Maps as a board for Monopoly. The rules are similar to what we normally play. You initially get paid out 3 million Monopoly dollars (!) to play.

You can play this game here.

3. Search real time indexed pages on Google: So, you wish to keep up with your favorite web site as soon as Google has indexed its recently updated/added page? You can now do so using a parameter that we observed recently. This parameter is- tbs=qdr:

You can get results with a seconds delay, i.e., after it being indexed! According to us, ‘tbs’ stands for ‘to be scanned’ and ‘qdr’ stands for ‘query data range’! This might not be the true meaning. It can take the following units – s (second), n (minute. We don’t know why they do not have a m instead), h (hour), d (day), w (week) , m (month) and y (year). For example,

tbs=qdr:s1 [1 second delay]
tbs=qdr:n1 [1 minute delay]
tbs=qdr:h1 [1 hour delay]
tbs=qdr:d1 [1 day delay]
tbs=qdr:w1 [1 week delay]
tbs=qdr:m1 [1 month delay]
tbs=qdr:y1 [1 year delay]

For example, http://www.google.com/search?q=Javier%20Echaiz&tbs=qdr:d1

Source: pentestit.

Comodo Internet Security – Free All-in-one Firewall & Antivirus

noreply@blogger.com (JaviZ) — Sat, 26 Sep 2009 14:15:00 +0000

Comodo Internet Security is the free, multi-layered security application that keeps hackers out and personal information in.

Built from the ground upwards with your security in mind, CIS offers 360° protection by combining powerful Antivirus protection, an enterprise class packet filtering firewall, and an advanced host intrusion prevention system called Defense+.

Features of Comodo Internet Security

- All-in-one Firewall & Antivirus
- Defends your PC from Internet attacks
- Detects and eliminates viruses
- Prevents malware from being installed
- Easy to install, configure and use
- Free to both business and home users
- Default Deny Protection (DDP)
- Prevention-based protection
- Personalized protection alerts
- Real-time access to updated virus definitions
- One-click virus scanning
- Uncluttered, user-friendly interface
- Thorough security “wizards”
- Unique “slider” to easily change your current security level
- Exclusive access to Comodo’s “safe-list”

Comodo Internet Security Includes:

Firewall: Slam the door shut on hackers and identity thieves.
Antivirus: Track down and destroy any existing malware hiding in a PC.
Defense+: Protects critical system files and blocks malware before it installs.
Memory Firewall: Cutting-edge protection against sophisticated buffer overflow attacks.
Anti-Malware Kills malicious processes before they can do harm.

Operating system:

Windows XP (SP2) or Vista 32 bit
64 MB RAM / 70 MB hard disk space
Windows XP (SP2) or Vista 64 bit
64 MB RAM / 105 MB hard disk space

We have published and revied anti virus and firewalls, this one is effective and proctects you from bad guys and their malwares. Tested on windows XP full of internet virus it manged to clean 98 % of known virus and 70 % modified malwares. As it also has firewall so browser hijack was also detected but was not cleaned. overall we were protected and its also Free !!!. So we had some soft corner.

Download Comodo Internet Security Here

Source: pentestit.com.

Twitter DM Phishing Scam

noreply@blogger.com (JaviZ) — Fri, 25 Sep 2009 23:42:00 +0000

As Twitter gains momentum there are more and more attacks on it, it’s users and the most recent is a phishing scam via DM (Direct Message).

It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

Windows Software

noreply@blogger.com (JaviZ) — Tue, 22 Sep 2009 03:22:00 +0000

Avast: Another free Anti-Virus software. Just as good as AVG. However this one is more system intensive than AVG or NOD.
Bitdefender: Popular anti-virus software- Free of charge. Free- NOT real time scanning -only manual scanning)
ClamWin: Small and non-intrusive anti-virus. Like Bitdefender (Free- NOT real time scanning -only manual scanning)
AntiVir: An anti-virus that has been around for a long time – still free for home use.
Blink: First security solution to build all of the necessary protection layers into a very lightweight package. (Contains a software Firewall)
NOD32: The absolute BEST anti-virus protection. (I know, I clean scumware for a living). 30day trial. Or purchase.
Kaspersky: A very sweet anti-virus software with a 30day trial. Be sure to JUST get the AV, not the full suite of bloatness.

TheCleaner: This finds/prevents trojan horses. This is on a 30day trial, however very recommended – try it.
DiamondCS: Many high-end programs for worm/Trojan detection, 30day trial.
Windowsecurity: Free online Trojan scanner.

Ad-Aware SE: Great for getting rid of spyware and malware – the items that can cause annoying pop-ups.
SpyBot: Similar to Ad-Aware, however more aggressive. Clean up spyware and hijack attempts.
SpyCatcher: Active Protection. One of the most advanced antispyware solution available as a free service.
AVG AntiSpyware : Clean annoying malware such as spyware, Trojans and hijackers. Great compliment to an anti-virus.
MalwareBytes: Since programs like Ad-Aware have become.. crap, this is a GREAT replacement for cleaning.
CounterSpy: Probably the best shield against spyware. The best database cleaner there is. Period. 30day trial.
Comodo BOClean: This is more of a “real time” (run the the background) anti-spyware. Not a fan of TSR’s, but this works.
CWShredder: Takes care of many hijacking software – run if you get many pop-ups/redirecting pages.
HijackThis: Tool to find out if there is “hijack” software on your system. Use the logfile analyzer if your not sure.
Kill2me: Another stomper of spyware – bring it on.
KillBox: Very nice for taking care of “Abetterinternet” and other n00bish software.
a² free: This bridges the gap with anti-virus and malware. This free scanner cleans Trojans, worms, spyware (all malware).
SpywareBlaster: Active prevention against spyware, adware, browser hijackers and dialers.
HitmanPro2: Incorporates all major Anti-Spyware software and updates/runs them all for you. Too cool.
WinDiz: Windows updates with FireFox. Great if ActiveX is damaged by spyware.

POPfile: Perfect/Free ani-Spam tool. Involved installation, but once it’s set – it’s good.
IHateSpam: For Exchange (V5.5, 2000 and 2003) was uniquely developed to be both user and admin-friendly. 30day trial.
Spamihilator works between your E-Mail client and the net. Useless spam mails (Junk) will be filtered out.
SpamBayes: is a tool used to segregate unwanted mail (spam) from the mail you want (ham).
SpamPal: Mail classification program that separates your spam from the mail you really want to read.
OSpam: A great and simple spam solution for any POP account.

Sygate. Just bought by Symantec – now it’s going to be crap. Hurry and get this before it happens.
Tiny: Tiny is a free firewall. It is designed for the more advanced due to the heavy features included.
Comodo: Great little personal firewall. This is pretty new and robust.
OutPost: An Opensource based firewall. Works very well protecting against worms, trojans and hackers.
Kerio: Smart, easy-to-use personal security technology that fully protects PC’s against hackers and internal misuse. The best.
Protowall: Very small application that blocks IP address. Very cool.
Prevx: Stops the attacks that bypass anti-virus and firewall products.

PowerCrypt 2000: Encrypted files, folders and E-mails. This free file lets you hide all your data.
PGP: “Pretty Good Privacy”. Actually it’s probably the best encryption software out there. Free – PC/MAC
Cryptainer LE: Secure your data and ensure absolute privacy with Cypherix’s powerful 128bit encryption.
BitCrypt: A sophisticated tool allowing for encryption of plain text within a bitmap image.
EasyCrypto: Encrypt both standalone files and entire folders. Many cool options here.
Truecrypt: Free open-source disk encryption software for Windows XP/2000/2003.
MD5HashGen: Simple application that can generate one-way MD5 hashes – Great for password generations.
PerfectPasswords: GRC’s Ultra High Security Password Generator.
RoboForm: A free password manager and one-click web form filler. Just be carefull who uses your PC.
Password Safe: Allows you to have a different password for all the different items that you deal with – remembers for you.
CutePasswordManager: Form filling software that auto fill user/password. Stores info with 256-bit AES encryption – 1click login. *
PIN’s: Storing of any secure information like passwords, accounts, PINs etc. 448 bit Blowfish. Does not install.

Eraser: FBI just kick in the door? This little program will erase data to a level that the Dept. Of. Defense uses.
KillDisk: KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M.
AutoClave: Hard drive sterilization on a bootable floppy.
SuperShredder: Shred’s individual files. It’s stronger than DOD specs.
DBAN (”Darik’s Boot and Nuke”) is a self-contained boot floppy that makes it an appropriate utility data destruction.

Anonymizer: Installs a small toolbar into your browser. Moves your connection to proxies around the word. Slows connection.
Proxify.com Spoof your IP address without installing software. The paid version is much faster.

SpeedFan: Allows you to see your CPU temperature. Good for overclockers and modders.
Motherboard Monitor: Like speedfan, reads temperature and fan RPM data – alerts you when there’s trouble.
Si Meter: Great/free/small application that does live monitoring on system resources.
TDIMon: Lets you monitor TCP and UDP activity on your local system.
InterMapper: Gives a visual in real-time view of traffic flows through and between critical network devices and links.
WinBar: A compact program that lets you monitor your system and provides easy access to frequently used controls.

RegSupreme: Clean up the registry from old entries, speed up your system. 30day trial.
RegSeeker: Very tiny – does not install. I have tested this and trust it. Many tweak options with it.
RegscrubXP: A great free registry cleaner for XP. Fix those “weird issues” with Windows.
Beclean: is the complete suite of system cleaner. Registry to history – cleans many things.
CCleaner: Removes unused and temporary files from your PC – allowing it to run faster, more efficiently and saving space.
MyUninstaller 1.0: Uninstall anything,clean out old video drivers, uninstall programs that are not in “add/remove”.
DriverCleaner: Made to fully clean out the drivers of ATI and NVIDIA.
MSconfig: Get rid of startup programs that slow your PC down. This would be for Windows 2000.
Starter: It’s better than Msconfig. Also works with Windows 2000, which is nice due to the fact that 2k doesn’t have msconfig.
PreFetch cleaner: A pre-fetch scrubber to clean out files that are used commonly – can be corruption or spyware hiding.

Belarc: Takes a snap-shot about a PC (hardware-software) with a full profile report. This is very handy.
SIW: A small .exe that when ran – gives you all kinds of info about your PC and software. Need this on your tools disk.
PcpBios: Very tiny script that looks at all BIOS related information. RAM, CPU and motherboard instant info.
EVEREST: (recently AIDA32). Like Belarc, gives full system summary of hardware and software/keys.
SpaceMonger: A tool for keeping track of the free space on your computer. It shows a graph of files and sizes.
IP subnet calculator: A diagnostics tool to calculate your network latency and subnet information.
CPUid: A very small application that tells you about your specific specs. (FSB, core clock, dual channel etc.).
PC Pitstop: A good site to check how your doing on fine tuning your computer. It will also help you fix your issues.
PowerMax: Diagnostics for hard drives made by Maxtor. Download, put on a floppy or CD and test your HDD.
MemTest86: Diagnostics for your RAM. Download, put on a floppy or Cd and test your RAM.
Monitor Asset Manager: A Plug and Play monitor information utility. Provide detailed technical information about the target display.
ShieldsUP: Port scanning of all ports or custom scans. See how good your firewall is doing.
BandwidthTest: Test your internet connection speed.

TweakUI: Perfect for somebody who really wants to customize there XP. Made my Microsoft
X-Setup: Like TweakUI but with more functionality and options. Very slick.
ResourceHacker: Get in and really tweak or fix Windows. Great registry GUI hacking.
RenameRecycleBin: I made this registry value in notepad, download/double-click/”yes”/throw away, rename your recycle bin.
Matrix Screensaver: Best (only) Matrix screensaver out on the web. Great options. Here is actual text (change name for you)
FOOOD’s Icons: Great free icons for XP. Default is boring.
Strokit: Advanced mouse gesture recognition engine and command processor.
ReForce: Windows 2k and XP have an issue with Hz in games. This will allow you to set all games at a specific Hz setting.
Keyboard Remapper: Remap your keyboard keys. Easy enough.
ClocX: Analog clock for the desktop.
Xpadder: Map your game pad or RC TX to keyboard keys. Wokrs great for customized controllers.
Alarm: A digital clock that you can set to display a message and play a sound at a time of your choice. AlarmClock
WeatherPlus: Display satellite images and video around the globe, stay updated on current and expected weather conditions.
Nlite: Remove or add Windows components to your Windows CD – for next time you re-install Windows.
AutoStreamer: Just like Nlite, this is specifically for adding Service Packs to your Windows install CD’s.
Digital Blasphemy: Probably the best wallpapers and images on the net.
Konfabulator: Engine that lets you run little files called Widgets that can do pretty much whatever you want them to.

File Recovery: This is free software made by PC Inspector. Really, Really nice if you lost or trashed a file and need it back.
Smart Recovery: Recover data from flash drives: CF, SM, Thumbdrives, micro drives – etc.
Disk Investigator: Discover all that is hidden on your computer hard disk, recover lost data.
File Scavenger: Undelete and data recovery utility for NTFS volumes. 64KB or smaller files can be recovered with free trial.
CDCheck: Utility for the prevention, detection and recovery of damaged files on CD-ROMs and error detection.
Restoration: Tiny program that doesn’t install. Perfect if you trashed a file (even emptied the recycle bin) and you need it back.
RecoverOutlookMail: A little trick for recovering those corrupted .PST files.

FireFox: Drop Internet Explorer and get a superior browser. Check out the add-ons.
Google Chrome: A great webkit based browser by Google. Very fast. *
Opera: If you don’t use FireFox, use Opera. Now that it is free and Ad-free – it is now recommended.
Safari: Apples web browser now for Windows. Great web browser next to Firefox.
Reload Every: Extension for FireFox. Allows you to set reload times on your browser windows so you won’t be logged out.

FileZilla: An FTP program that is superior to “Cute”, and is Free.
WinSCP: Open source SFTP client for Windows using SSH and SCP protocol’s. Secure FTP.
FireFTP: If you use FireFox browser (like you should be) – use this plug-in for FTP functionality in your browser.
Hamachi: Setup two or more computers with an Internet connection into their own virtual network for direct secure communication. How-to’s
FolderShare: Securely keep files synchronized between your devices and remotely download your files from any browser.
LogMeIn: Easy to log into a PC from a PC, MAC or linux machine. No port forwarding involved! Just like terminal services but easier.
Avvenu: Remote connect to your PC from another PC or any web-enabled handheld. Perfect for getting those files you forgot.
Crossloop: Secure screen sharing utility designed for people of all technical skill levels. Basically, TightVNC but no port forwarding needed.
TightVNC: Remote control software- see the desktop of a remote machine and control it with your local mouse and keyboard.
RemoteDesktop: Microsoft remote desktop client side installer for older Windows versions.
RDPortX: A small app I made to change the defualt 3389 port that Remote Desktop ueses. Great for multiple RD servers on the same network.
eMando: Client/server package which you can use to control and manage a computer over a LAN or the Internet.
DirectUpdate: Get an Email of your WAN IP address changes even behind a router (for dynamic ISP’s). 60day trial ($15.00 – buy).
DynDNS: A full list of dynamic IP administration software tools.

CDBurner-XP Pro: Just like it sounds, burning program for Windows. Free.
ImageBurn: A lightweight CD / DVD / HD DVD / Blu-ray burning application.
ISORecorder: Small program to burn images of CD’s. Once installed, right click an .ISO’s or a ROM drive and “create CD image”.
DeepBurner: A full featured Burning app for CD’s, DVD’s and ISO’s. Much like Nero only totally ~~Free

Source: nycgraphix.com.

Malware Analysis Tools and Techniques

noreply@blogger.com (JaviZ) — Tue, 15 Sep 2009 18:56:00 +0000

Malware Analysis Tools and Techniques

Apart from what guidelines have been published in various books and articles. My this post will summarize the overall manual and automated techniques to simulate and test the samples of malwares collected and their behavioral activities. To be noted that a "Malware" could be delivered in the form of trojan, virus or worm.

Manual Toolset
These tools require the collaboration of other toolset used in conjunction, to support depth analysis of a malware.

Foundstone BINTEXT
Malzilla (Analyzing Web-Based Malwares - JavaScript/iFrame)
HTTP Proxy Debuggers (Paros, WebScarab)
Nepenthes
iDefense SysAnalyzer, HookExplorer and MAP (Malcode Analyst Pack)
RegShot
SysInternals Tools
PEiD Tool (Very important to detect packers/compilers/cryptors)
UPX
FireBug
OllyDbg
WinDbg
GDB GNU (Linux)
OllyDump
OllyScript
SoftICE (Reversing)
IDA Pro (Reversing)
Salamander Decompiler (.NET Applications)
Reflector.Net Tool
DaFixer's DeDe (Delphi)
Backerstreet.com REC
HeavenTools PE Explorer
HijackThis

Automated Online Tools
These online submission services automatically analyze the malware in a very restricted environment(simulate) and record their activites and produce results on the basis of various Anti-Virus/Malware detection.

CWSandbox.org
ThreatExpert.com
VirusScan.jotti.org
Norman.com/microsites/nsic/
Malwareinfo.org
VirusTotal.com
VirScan.org

Source: EthicalHacker.

Windows autorun may autoinfect

noreply@blogger.com (JaviZ) — Mon, 14 Sep 2009 03:38:00 +0000

Nothing beats a USB port for convenience, whether you want to quickly transport a couple gigabytes of files for work, refresh the lineup on your MP3 player, or view the pictures from your recent trip to Boise. Unfortunately, USB ports also provide an overly convenient bridge for malware to creep from a portable media device onto an unsuspecting user's system. In fact, it seems nearly every client I visit these days has numerous computers carrying USB-infecting malware -- even trusted clients with otherwise stellar security histories. It's getting so bad that I'm scared to share USB keys with my clients.

The primary culprits here: Microsoft Windows' autorun and autoplay features for portable media devices (USB keys, USB hard drives, camera memory flash cards, and so on). To make users' lives easier, Microsoft coded Windows to seek and deploy autorun and autoplay files on removal media. A user connects his or her device, and the program it contains launches automatically, if so designed by the software developer. It's what allows a CD or DVD to start playing the moment it's inserted or a new software program's install routine to automatically commence.

[ Already infected by malware? Starting from scratch is the best course of action [1]. | Are you up to snuff in your security regimen? Get your defenses in tip-top shape with InfoWorld's Security Boot Camp [2], a 20-lesson course via e-mail that begins Sept. 21. ]

Unfortunately, malware writers have co-opted autorun and autoplay to spread rogue code. An unsuspecting user inserts a portable media device containing the code, which is often invisible to the casual user. The malware then uses autorun and autoplay -- and maybe the desktop.ini file -- along with the hidden core malware program to pull off the overall exploit. The malware can then go on to infect the computer and network using other vectors, such as network shares, password guessing, and normal infection vectors, or it can stick to infecting removal media devices. Either way, it's not a good thing.
[3]

My recommendation: Protect your systems and your network by disabling the autorun and autoplay functionalities and by educating users on how to manually launch any needed program. Disabling this functionality has become easier and easier with each new version of Windows. It can be done using Group Policy or registry edits. In many cases, you might have to install an additional software hotfix to get all the needed disabling functionality.

Specifically, to disable the autorun functionality in Vista or in Windows Server 2008, you must have security update 950582 installed (security bulletin MS08-038). To disable the autorun functionality in Windows XP, Windows Server 2003, or Windows 2000, you must have security update 950582, 967715, or 953252 installed. (See Microsoft's Web site [4] for more details. It covers what software fixes to install, if needed, and the related registry keys and group policies that can be configured.)

My friend Jesper Johannson has an excellent description [5] -- and solution discussion -- of the problem, which I highly recommend.

Even if you fix your computers, you have to be careful as to where you stick your USB device. It's truly similar to sex advice: You are sharing your USB device with every USB device that has shared the same port.

Of course, it doesn't hurt to run antimalware software, even if it isn't 100 percent accurate, configured to autoscan all autolaunching code or inserted media devices.

Also, if I share my USB key, I always look for any added autorun.inf, desktop.ini, or newly appearing executable files. I configure Windows Explorer to show all files (hidden, system, and registered extensions) so that any hidden files are shown. You can disable USB ports (or any devices or ports) physically or by using Group Policy, registry edits, or third-party software. Last, check all your removal media to make sure they haven't been silently infected and you aren't spreading the disease.

Practice safe computing and disable autorun and autoplay -- so we can go back to fighting Internet-based malware.

Are your network defenses feeling a little flabby? InfoWorld's Security Boot Camp will whip your IT operation into shape in next to no time. Get Roger Grimes’ advice delivered to your in-box in a special, four-week e-mail-only course. Sign up now [6].

* Security Central
* Malware
* Windows

Source URL (retrieved on 2009-09-29 12:18PM): http://www.infoworld.com/d/security-central/windows-autorun-may-autoinfect-266

Links:
[1] http://www.infoworld.com/d/security-central/starting-scratch-only-malware-cure-451?source=fssr
[2] http://www.infoworld.com/security-boot-camp?source=fssr
[3] http://www.infoworld.com/security-boot-camp?source=editinline
[4] http://support.microsoft.com/kb/967715
[5] http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx
[6] http://www.infoworld.com/security-boot-camp

Source: Roger A. Grimes.

Análisis forense de cola de impresión de Windows

noreply@blogger.com (JaviZ) — Fri, 11 Sep 2009 00:02:00 +0000

Es posible recuperar el último archivo impreso en Windows y visualizarlo. Para realizar esta técnica es necesario saber el funcionamiento de la cola de impresión en Windows.

En el momento que se envía un archivo a imprimir, se crea un archivo de almacenamiento intermedio en formato EMF, donde se almacena lo que se envía a la impresora y las opciones de impresión, su extensiones son: *.SPL y *.SHD. Cuando la impresión finaliza, Windows borra estos archivos que se almacenan en:

c:\windows\system32\spool\printers

Para hacer un análisis forense del último documento impreso, hay que usar un software de recuperación para obtener los archivos *.SPL y *.SHD.

Una vez recuperado estos archivos con la herramienta EMF Spool Viewer es posible: descifrar estos archivos, visualizar el último archivo impreso y obtener las propiedades de impresión utilizadas

Para la cronología de la escena podemos usar los metadatos del archivo o la fecha de eliminación ya que corresponde con la fecha de impresión. Esta técnica funciona para Windows NT/2000/XP/VISTA.

Más información y descarga de EMF Spool Viewer:
http://www.codeproject.com/KB/printing/EMFSpoolViewer.aspx

Más información sobre la cola de impresión y archivos EMF:
http://www.microsoft.com/india/msdn/articles/130.aspx

Autor: Alvaro Paz
Fuente: Guru de la informática

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

noreply@blogger.com (JaviZ) — Mon, 07 Sep 2009 03:35:00 +0000

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541,

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a ”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around, we saw that the PASSWORD field would be most suitable to shove a larger payload (bindshell). A quick replacement of the original “user add” shellcode with a secondary encoded egghunter – and a bind shell was presented to us! I wonder how long this 0day has been around…As Rel1k would say to logan_WHD…”it’s OK, it’s OK…”.

The exploit can be downloaded from BackTrack's exploit archive. To entertain the masses, they also made “Microsoft IIS 5.0 FTP 0 Day – The movie“

Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

noreply@blogger.com (JaviZ) — Sun, 06 Sep 2009 12:45:00 +0000

A continuación va la receta de cómo llevar nuestras distribuciones de seguridad preferidas en una sola memoria USB/pendrive, todas funcionando correctamente.

Primero de todo nos descargamos las herramientas que necesitamos.

PeToUsb
WinGrub
Una llave USB.

Una vez nos hayamos descargado PeToUsb iniciamos y procedemos a formatear la llave USB.

Ahora nos pedirá confirmación:

Y aqui entonces nos avisa de que se eliminarán todos nuestros datos.

Entonces empezará el formateo:

Cuando acabe el formateo nos saldrá un mensajito:

Una vez tenemos preparado nuestro dispositivo vamos a instalar GRUB en él.

Abrimos la aplicación WinGrub que ya hemos instalado antes. Nada mas iniciarlo nos pedirá sobre que dispositovo USB instalaremos GRUB

Ahora instalaremos GRUB en el USB.

Ahora ya tendremos GRUB instalado.

Ahora cojeremos cualquier LIVE-CD y copiaremos su contenido en la raíz del USB.

Yo lo he echo con Backtrack.

Una vez hayamos copiado el contenido del CD dentro de la llave USB. Creamos un archivo en blanco que sea menu.lst

Dentro del archivo de configuración del Menú le ponemos como ha de arrancar la distribución en sí.

Ejemplo para backtrack:

title BackTrack 4
root (hd0,2)
kernel /boot/vmlinuz vga=0×317 ramdisk_size=6666 root=/dev/ram0 rw quiet
initrd=/boot/initrd.gz
boot

Con esto ya tendríamos el GRUB configurado.

Nota: Cada LIVE -CD se estructura normalmente con dos carpetas, una carpeta boot, y otra con el nombre de la distribución.

Si queremos poner mas de un LIVE-CD podemos renombrar la carpeta boot con otro nombre.

Ejemplo, backtrack4 le ponemos el nombre de bootbt4, kon-boot a bootkon y asi sucesivamente.

Si se cambia el nombre de boot, recordad de cambiarlo en el menu.lst también.

Yo por ejemplo ya he configurado mi grub y las distrubuciones que quería.

Me ha quedado algo así.

Y si lo ponemos desde mas cerca…

Y como veis podremos poner las distribuciones que queramos en nuestro USB.

Fuente: DragonJar.

Damn Vulnerable Web App

noreply@blogger.com (JaviZ) — Sun, 06 Sep 2009 12:43:00 +0000

Ryan Dewhurst desarrollador del DVWA (Damn Vulnerable Web App) ha liberado hoy una nueva versión (1.0.5), de esta excelente herramienta para testear diferentes vulnerabilidades web.

4v4t4r ya nos había comentado sobre esta aplicación que tiene como finalidad ofrecer a los profesionales, estudiantes e investigadores en seguridad informática un conjunto de utilidades con las cuales podemos exploter y entender un amplio grupo de vulnerabilidades web.

Algunos cambios en esta nueva versión:

Se re escribió completamente el codigo.
Se rediseño completamente el aspecto de la aplicación.
Se agrego la vulnerabilidad CSRF.
Ahora las vulnerabilidades XSS se almacenan.
Se agrego la vulnerabilidad Full Path Disclosure.
Cuenta con un nuevo sistema de logueo.
Ahora tiene manejo de secciones.
Algunos bugs arreglados.
Se implemento el PHPIDS.
y muchas cosas mas…

Si te intereso la pasada versión del Damn Vulnerable Web App, no dudes en descargar esta nueva versión los dejo en compañía de este vídeo tutorial de instalación de Damn Vulnerable Web App.

Descargar Damn Vulnerable Web App

Mas Información:
Sitio Oficial de Damn Vulnerable Web App

Fuente: DragonJar.

Microsoft minimiza la vulnerabilidad de SQL Server

noreply@blogger.com (JaviZ) — Sat, 05 Sep 2009 04:12:00 +0000

Microsoft pone en duda la gravedad de una vulnerabilidad en su servidor SQL de base de datos que los investigadores de seguridad dicen expone contraseñas administrativas. La vulnerabilidad, descubierta por Sentrigo, puede ser explotada remotamente en SQL Server 2000 y 2005.

Microsoft minimiza el defecto de seguridad en SQL Server que podría ser explotado por alguien con privilegios administrativos para ver las contraseñas de los usuarios que están sin cifrar.

La vulnerabilidad se descubrió el año pasado por el fabricante de seguridad de base de datos Sentrigo; cuando uno de sus investigadores notó que la cadena única de su contraseña personal era visible en la memoria. Desde entonces, se contacto a Microsoft y se desencadeno una de idas y vuelta entre Sentrigo y Microsoft, que sostiene que la vulnerabilidad no es un problema porque se requiere acceso administrativo.

Mientras funcionarios de Sentrigo admiten que acceso administrativo es necesario para un explotar al trabajo, también sostienen que muchas aplicaciones están desplegadas con privilegios administrativos, lo que significa que hackers podrían utilizar una inyección de SQL y con esta vulnerabilidad para acceder a contraseñas administrativas.

"Las contraseñas utilizadas para conectarse al servidor del MS SQL se almacenan en memoria con texto claro" explicado por el CTO de Sentrigo, Slavik Markovich. "Estas no se borran hasta que se reinicia el servidor del SQL, así que puede en quedar en memoria durante semanas o meses en ambientes de producción. Es algo fácil descargar la memoria y ver su contenido en busca de nombres de usuario y contraseñas".

En el caso de SQL Server 2000 y 2005, los atacantes puede explotar la situación remotamente. Hay algunos procesos de mitigación para los usuarios de SQL Server 2008 porque Microsoft eliminó la utilidad DBCC. Sin embargo, con conexiones locales todavía se puede explotar.

Pese a ello, Microsoft sostiene que la vulnerabilidad es mucho ruido y pocas nueces.

Microsoft ha investigado a fondo reclamaciones de vulnerabilidades en SQL Server y encontraron que estos no son vulnerabilidades que requieren de Microsoft emita una actualización de seguridad. Como se ha mencionado por los investigadores de seguridad, en el escenario en cuestión, un atacante necesitaría derechos administrativos en el sistema atacado.

"Un atacante que tiene derechos administrativos ya tiene completo control del sistema y puede instalar programas; ver, cambiar o borrar datos; o crear nuevas cuentas con plenos derechos de usuario", agregaron desde Microsoft.

Si bien los administradores pueden normalmente restablecer una contraseña de usuario si es necesario, mejores prácticas de seguridad no permiten incluso a los administradores ver la verdadera contraseñas de otros usuarios, oficiales de Sentrigo dicen: este es un problema aún mayor ya que muchas empresas necesitan cumplir con diversas normas y reglamentos que exigen estricta separación de funciones, algo que es claramente violado por compartir todos las contraseñas de los usuarios con los administradores.

En respuesta a la situación, el fabricante de seguridad ha publicado un utilitario gratuito para borrar estas contraseñas. La utilidad puede ser descargada a partir de hoy de la pagina Web de Sentrigo.

Fuente: SeguInfo.

Auditar SAP – Introducción

noreply@blogger.com (JaviZ) — Fri, 04 Sep 2009 23:24:00 +0000

A lo largo de varios post en este blog vimos desde artículos introductorios, hasta algunas pequeñas herramientas que SAP nos brinda para ayudarnos a configurar su seguridad.

En este post, y los subsiguientes sobre “Auditar SAP“, trataremos de abarcar paso a paso, las tareas a realizar para evaluar la seguridad de un sistema. En algunos casos repitiéndo conceptos ya definidos en anteriores artículos del blog, e incorporando otros nuevos.

Lo principal a fines de empezar, es entender el alcance de la auditoría que vamos a realizar. Metodológicamente, una auditoría del sistema se concentra en revisar la configuración del mismo, con el fin de exponer las falencias que puedan poner en jaque la seguridad de la información que en el reside.

Tenemos que comenzar entendiendo que el sistema SAP como ERP, es un sistema que puede aportar un alto grado de seguridad en las operaciones, y posee un buen número de controles embebidos en el mismo, tanto configurables como inherentes. Pero esta seguridad tiene que ser configurada, para que sea efectiva.

Y también es importante destacar una característica particular de SAP a la hora de auditarlo, y es que en el mismo no solo se configuran y por consiguiente, se revisan, los controles de aplicación (controles internos del negocio, validaciones de datos, etc) si no que también un gran número de controles de base o generales deben efectuarse en el mismo, ya que desde dentro de un sistema SAP es posible acceder directamente a las tablas de base de datos, ejecutar programas, ver código fuente, ejecutar comandos de sistema operativo, apagar el servicio, realizar debugging, y un largo etc de actividades que en otros sistemas deben controlarse “por fuera de la aplicación” y en el caso de SAP deben controlarse en “ambos lugares”. Y resaltamos “ambos lugares” porque incluso en muchas revisiones de seguridad se pierde el foco y se controlan los permisos dentro del sistema con el fin de verificar controles generales y de aplicación, abandonando un poco el control sobre los servidores de base de datos, de aplicación, etc.

Igualmente como corresponde a este blog, nos ocuparemos, al menos en principio, a la revisión de la seguridad específica en la plataforma SAP y posteriormente incorporaremos tips a verificar en las plataformas subyacentes (pero es tan variado este control, como plataformas y bases de datos sobre las que puede instalarse SAP).

Antes de empezar efectivamente con la auditoría sobre el sistema, hay cierta información que uno debería recopilar, y vamos a explicar porque:

- Versión, o versiones de SAP sobre la que se va a trabajar - Distintos parámetros y configuraciones son posibles dependiendo de la versión del sistema, como así también nuestras recomendaciones varí an según la versión de SAP, salvo que nuestra recomendación se actualizar la versión

- Cualquier informa de auditoría previo – Nos puede dar una idea general del sistema, aunque la revisión deba hacerse de cero.

- Landscape, número y nombre de instancias - Por motivos obvios es necesario conocer el landscape sobre el que se trabaja, servidores involucrados, application servers lógicos, físicos, ambientes de desarrollo, pruebas, producción etc. Es importante que los ambientes se encuentren correctamente aislados el uno del otro.

- Sistema operativo y Base de Datos (Nombre, versiones, etc) – Averiguar el sistema operativo sobre el que está instalado el application server y la base de datos sobre la que corre es importante tanto para la revisión de software de base, como para algunas transacciones específicas del sistema según donde se instale.

- Mandantes - Conocer los mandantes existentes y el objetivo de los mismos es necesario por las mismas razones que las instancias, y para conocer las necesidades de auditoría.

- Cantidad de usuarios - Complejidad y extensión de la revisión.

- Módulos utilizados/implementados - Para conocer el alcance de la revisión, una aproximación del número de roles involucrados y complejidad, la cual puede depender de los módulos (sobre todo si son incluidos módulos de industria específicos que si bien pueden no agregar muchos controles de seguridad, pueden ser desconocidos para nosotros)

- Esquema general de Sociedades, Centros, Sociedades CO, y otros datos funcionales - Resultan útiles a la hora de evaluar un esquema de roles acorde a las necesidades de la organización.

- Número de desarrollos ABAP o Z - Nos servirá como dato sobre la complejidad del sistema y de su diferencia con el sistema estándar. Este dato es de suma importancia a la hora de saber lo complejo del análisis de roles y en un posible caso de reingeniería de los mismos.

- Toda la documentación del área de sistema definiendo procedimientos, misiones y funciones, organigrama, nómina de empleados del área de sistemas con funciones, monitoreo, etc - Es útil con el fin de confirmar que estos procedimientos y puestos se vean reflejados en la estructura del sistema, y que los permisos de usuarios en el sistema no excedan o limiten sus responsabilidades. Es importante conocer el procedo de gestión de usuarios y accesos, para ver que el mismo se refleje de manera adecuada en el sistema.

- Procedimiento de cambios, y cambios de emergencia – Es importante contar con este procedimiento escrito y de no ser así relevar el proceso que debería ser, para comprobar que el sistema de transporte y los permisos estén configurados de manera acorde.

- Usuarios de Interfaz o no nomenclados - Es importante conocer de antemano cuales son estos usuarios para verificar su correcta parametrización o recomendar su eliminación.

- Esquema de Nomenclatura de roles - Como son nomenclados los roles es vital para entender la estructura de los mismos.

- Nomenclatura de usuarios - Para verificar que se cumpla y comprender la misma.

- Metodología de Acceso al sistema - A través del SAP GUI, Web, interfaz desde otras aplicaciones, usuarios de internet, externos, SAP Router, Citrix. Es importante determinarlo con el fin de verificar el alcance y saber con que estamos tratando.

- Implementación de Seguridad a través de la estructura organizativa, o la utilización de perfiles estructurales - Cambio nuestro punto de vista sobre como revisar la seguridad del sistema.

- Topología de Red del sistema SAP - Realizar un análisis preliminar de la instalación y su seguridad

- Planes de continuidad del sistema - Además de lo obvio, para conocer la redundancia, el riesgo y otros sistema que debamos verificar.

- Existencia de permisos de visualización para auditar el sistema - Lo dejamos para el final, pero es de suma importancia poseer permisos a todo lo que necesitemos, pero sin modificación, para poder trabajar con tranquilidad sobre el sistema. Ya que de ser negado el acceso interactivo al sistema tendremos que encarar una auditoría COMPLETAMENTE DISTINTA.

Evidentemente todavía no abordamos nada técnico, pero es un paso esencial el de recopilar toda la información que sea posible. Si a ustedes se les ocurre alguna otra información específica a recopilar no duden en hacer comentarios en este artículo.

En el próximo abordaremos ya más en detalle los temas técnicos y cómo proseguimos con una auditoría del sistema.

Securing Application Infrastructure: The analysis of Application Security Methodologies

noreply@blogger.com (JaviZ) — Fri, 04 Sep 2009 21:53:00 +0000

The trend of security threats has recently gained a prominent attention in media and industry reports. This article will briefly examine the methodologies and approaches that most organizations follow to address security issues by giving examples, test cases, strengths and weaknesses. Today's widely known solutions involve vulnerability scanning, static code analysis, penetration testing, binary analysis, fuzzing etc. Which of them are more or less reliable and which of them can address specific type of application problems, is mainly discussed here.

As many software vendors think that 'security issues' may never laid them out of business but in reality it does affect the sales as well as market reputation. Deploying proper application security not only rest assure the clients but also lead to increase the productivity. Let us take an example of interesting equation:

X=Applications developed
Y=Vulnerabilities exist in those applications
Z=Cost of repair (patch and fixes)
Now; X.Y.Z=A (answer)

If 'A' is less than the cost of third-party QA auditor, cost of training the developers and conducting additional security audits then it make more sense to write an insecure code.

Application vulnerabilities (in broad sense) can be divided into following sections but not limited to:

Operation/Platform Vulnerabilities
-Asset information disclosure
-Buffer Overflows
-Misconfigurations
-Error Handling
-Resource specific threats

Design Vulnerabilities
-Logic Flaws
-Access Control (Authentication/Authorization

Implementation Vulnerabilities
-Code Injection
-Information Disclosure
-Command Execution
-Functionality Abuse
-Input Validation
-Time and State

Now to test the security of the application, one may apply either of these methodologies:

Automated
-Automated Dynamic Tests (Fuzz Testing, Vulnerability Scanning)
-Automated Static Tests (Source or Binary Code Scanning)

Manual
-Manual Dynamic Tests (Parameter Tampering and Social Engineering)
-Manual Static Tests (Source or Binary Code Auditing)

Although each of these methods have their own strengths and weaknesses. Thus, we assume not the best, but atleast more efficient and reliable method can be judged by looking into their specific testing process.

Automated Dynamic Testing
While approaching to disclose application vulnerabilities under this method, the complexity ratio increases when moving from vulnerability scanning to the fuzz testing.

Strengths
-Less false positives (inherent benefits of run-time analysis)
-Programmatic approach to ensure reliable and consistent tests output

Weaknesses
-Threat assurance, No Fault != No Flaw
-Only the part of code audit may provide baseline for measurement.
-Unexpected conditions cannot be tested without additional programming.

Use Cases
-Fuzz Testing (complex input, informal SDLC, observable indicators)
-Application Scanning (strongly typed flaw classes, deterministic and observable behavior, known inputs only)
-Vulnerability Scanning (known transaction sequences, one to one mapping of triggers to specific conditions)

Automated Static Testing
This method can disclose the set of vulnerabilities present in the application by examining the code (source/binary) without user interaction. Several commercial and open source tools are available to perform automated static analysis. The complexity of such tools increases from normal flaw identification to the formal verification process.

Strengths
-Assessment of low-context flaws (parameters, DB query statements, etc)
-Automated scans required little or no human interaction
-Can get good placement during development lifecycle

Weaknesses
-Applications without presence of their source code.
-High ratio in false postives or negatives, tuning is harder.
-Critical issues with formal verification

Developing and correctly expressing a set of security invariants.
Developing an interpretation of the application that lends itself to proving/disproving invariants.

Use Cases
-Timely and resource-specific detection of simple flaws
-Detection of regression as a part of development lifecycle
-False assumption on strong assurance of the critical application
-In the hands of a developer who cannot interpret or filter the results correctly

Manual Dynamic Testing
The manual dynamic assessment apporach can be achieved by human-navigated application usage followed by assurance validation process and fuzz testing. A critical background information on application design can be provided by the developers. The complexity of manual dynamic testing process increases with its level of common criteria, assurance validation to parameter tampering.

Strengths
-Parallel capacity in execution of tests
-Pattern recognition
-Testing the live implementation may reduce false positives
-Capable of emulating the malicious attack process

Weaknesses
-Time consuming for large and complex applications
-May require the tester to hold a steep learning curve
-Test envrionment may not mirror production

Use Cases
-High risk applications require highly experienced security auditor to understand and scope the attack surface
-Wrong application type or the wrong tester background
-A case where the requirements of assessment does not match the expected risk profile of an application

Manual Static Testing
This process involves the interaction of human reviews, understanding application design and architecture documentation, use of offline toolset (such as, disassemblers, code browsers, etc).

Strengths
-Known data and code points
-Without any resource specific considerations
-Adaptability with skills and toolset

Weaknesses
-Accuracy issues (falst positives, human mistakes)
-High resource requirements
-Inconsistency in interpretation of same flaw in different ways

Use Cases
-Manual code audit (skilled resources, minor findings before automated tests, custom-coded scripts)
-Configuration review (low risk in changing values at runtime, known data sources and formatings)

Thus, from the application security assessment methods mentioned above and the statistics from "WASC Statistics Project" prove that the probability in detection of high risk vulnerabilities can be higher if combined set of methodologies are used. And this combined approach is almost 12.5% higher than automated scanning (specific to web applications).

Source: EthicalHacker.

Javier Echaiz Security

Technology News: Exploits & Vulnerabilities: Internet Explorer Flaw Lets Hackers Into the Cookie Jar

Use your mobile phone for secure Web sign-ins | Workers' Edge - CNET News

The Best Web Apps and Online Services: Get the Most Out of the Cloud | PCWorld

By using Web-based applications and storing your files online, you can work from anywhere, on any device, for next to nothing.

XSS and the NASA (NA_XSS_A?)

Microsoft, Aurora and something about forest and trees?

BackTrack 4 Final Release

132,000+ sites Compromised Via SQL Injection

Unintentional Insider Attacks

Improper Input Handling

Improper Input Validation

Client-side vs Server-side validation

Improper Input Sanitization and Filtering

Input Sanitization

Canonicalization

Input Filtering

Common examples of attacks due to Improper Input Handling

Buffer Overflow

SQL Injection

OS Commanding

References

Brief: Firefox feature looks to foil XSS attacks

More solutions please

Social Engineering at its best

Tricks with Google!

Comodo Internet Security – Free All-in-one Firewall & Antivirus

Twitter DM Phishing Scam

Windows Software

Malware Analysis Tools and Techniques

Malware Analysis Tools and Techniques

Windows autorun may autoinfect

Análisis forense de cola de impresión de Windows

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

Memoria USB Booteable con Varias Distribuciones de Seguridad Informática

Damn Vulnerable Web App

Descargar Damn Vulnerable Web App

Microsoft minimiza la vulnerabilidad de SQL Server

Auditar SAP – Introducción

Artículos relacionados:

Securing Application Infrastructure: The analysis of Application Security Methodologies