Charlie, implementing ITrust

Just for a SecPal

charlie — Thu, 28 Sep 2006 02:49:00 GMT

Microsoft is forwarding the notion of a language for security policy. Blair Dillaway of Microsoft Research, described the Security Policy Assertion Language at a recent Grid computing conference.

Speaking at GridWorld in Washington, D.C. earlier this month, Blair Dillaway described SecPal as a declarative, logic-based security language that supports distributed policy authoring and composition. It is said to be an XML dialect that works as a means for handling access control requirements, trust, authorization, and delegation policies.

Presentation on SecPal - ggf.org [PPT]

Thawte Crypto Challenge

charlie — Thu, 31 Aug 2006 07:28:00 GMT

The thawte Crypto Challenge gives you the chance to pit your wits against our code and other crackers around the world. If you have the skills, you too can be infamous (and win a prize while you’re at it). Crypto Challenge X is now open, so register to reveal the code and start cracking!

Go to the site.

The FBI needs help from hackers

charlie — Thu, 03 Aug 2006 02:22:00 GMT

"We need your expertise and input as we develop strategies to battle cybercrime in the 21st century," Daniel Larkin, a unit chief in the FBI's cybercrime division, said in his opening address at the annual Black Hat security conference here.

As cybercrime has continued to become more sophisticated and organized, federal agencies have increasingly sought to partner with the private sector. Earlier this year, FBI Director Robert Mueller used the RSA Conference to send out a similar message.

"The people we're going after are not just the script kiddies anymore. These people are making a lot of money," Larkin told the Black Hat audience of hackers and security professionals. "I am a recovering technophobe; I used to be really afraid of you all. But I realize that you all are really important."

ActiveX security faces storm before calm

charlie — Wed, 02 Aug 2006 05:14:00 GMT

Using a custom-built data fuzzing tool, HD Moore pinpointed more than 100 vulnerabilities in the ActiveX controls included with the default installation of Microsoft's Windows XP operating system. Data fuzzing tools combine knowledge of the input parameters accepted by a software package with a tenacious and systematic mangling of the data to discover how applications react to various permutations, whether valid or invalid.

Read more at SecurityFocus.

NASA Site Attacks

charlie — Wed, 02 Aug 2006 05:07:00 GMT

The Zone-H website recently reported on the defacements that took place. Websites run by NASA and other agencies have been frequent targets of attacks.

A Chilean cracking group called Byond Hackers Crew took credit for the defacement of a pair of NASA servers. Those machines had their home pages replaced with the picture of a young bombing victim's face and the message "No war."

Netscape.com falls victim to cross-site scripting attack

charlie — Thu, 27 Jul 2006 05:20:00 GMT

Fans of the website Digg.com have hacked the Netscape.com service using a cross-site scripting attack.

The site was recently relaunched as a social book-marking service. It is generally considered a copy of the popular Digg.com website.

Netscape visitors on Wednesday were presented with pop-up messages, one of which stated: 'This site sucks. Go here instead'. Clicking on the message led users to Digg.com.

Best practices for security in ASP.NET 2.0

charlie — Fri, 21 Jul 2006 00:34:00 GMT

Check out the patterns and practices site for security in .NET.

Don't just rely on some of the built-in features of ASP.NET. For example, the ASP.NET 2.0 Internet Security Reference Implementation uses custom functions to encode input because ASP.NET’s Server.HtmlEncode "only encodes <>"& characters. This is not sufficient to protect against all possible attacks. The authors also reference the Microsoft Anti-Cross Site Scripting Library V1.0 to fight against unproven (aka evil) input.

Likewise, the app discourages the use of DataBinder.Eval() when displaying content from the database. "While Eval is sometimes safe to use on purely static data, it is best to avoid it completely as it has the potential to allow an attacker to execute arbitrary code on the host server."

Searching for malicious software

charlie — Wed, 19 Jul 2006 01:22:00 GMT

H. D. Moore, creator of the Metasploit hacking tool, has crafted a search engine that finds malicious software using queries on Google. This "Malware" search engine finds Web sites hosting malicious files after a person enters the name of a virus or Trojan horse.

To find the malicious software the tool uses a fingerprint of the executable and then searches for it. However, those who do try it won't find much. Google has not indexed most malware yet and the signature database is still very small, according to the Malware search site.

Launch of the site comes shortly after researchers at Websense Security Labs said they had been able to find thousands of examples of malicious code using Google's search technology.

Most of what Websense found were malicious files posted to newsgroups with false names, designed to trick a user.

Being able to find malicious software on Google shows the potential to embed strings within binaries that match search terms in order to dupe users into running malicious code, Websense said in an alert last week.

Threat Analysis and Modeling Tool v. 2.0 (RTM) is available

charlie — Sun, 09 Jul 2006 05:36:00 GMT

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts.

The Threat Analysis and Modeling Tool v2.0 is now available here.

These are the main features of the package:

TreeView Navigation with visibility to all nodes at all times
Wizard based threat model creation
Default Attack library with descriptive countermeasure guidance
Automatic Threats and Use Cases generation
Consolidated Call Flow (System Flow), Attack Surface, Threat Tree are some of the few visualizations available, which can all be exported to Visio
Exportable Analytics and Reports to HTML
Import v1.0 Threat Model (models created using Torpedo v1)
Export countermeasures and attack test cases to Visual Studio Team Foundation Server (TFS)
Import SDM Deployment Reports from VSTA
Copy Paste and Drag-&-Drop features
Enhanced Find Feature
Video Tutorials

Go to the Application Threat Modeling site, to get started.

Device Security Manager Powertoy for Windows Mobile 5.0 Released!

charlie — Thu, 06 Jul 2006 00:52:00 GMT

This test tool helps developers of Windows Mobile applications test various security policies for Windows Mobile devices. It is designed as a desktop application that ships with a preset list of “security configurations”.

A security configuration can be thought of as a template, which contains a collection of individual policies and settings. For example, a security configuration could define policies such as whether unsigned applications are allowed to execute, whether RAPI is disabled etc.

Using this tool, the developer can provision a Windows Mobile device with different configurations, and then test the application’s behavior under these configurations. This tool can be used either on an emulator or an unlocked Windows Mobile device.

You can download the tool here

source: http://blogs.msdn.com/mikehall/archive/2006/07/05/657436.aspx

Apple issues another OS X security update

charlie — Thu, 29 Jun 2006 09:15:00 GMT

Apple has released a security update to its OS X 10.4 operating system. Some of the five patches in security update 10.4.7 address vulnerabilities that could allow a remote attacker to gain access to a compromised system, and one addresses a buffer-overflow flaw within ClamAV, a third-party antivirus application that is popular among Mac users. The other vulnerabilities involve Launchd, a flaw publicly exposed by the Mac virus InqTana.b earlier this year. Other vulnerablities involve OpenLDAP, ImageIO, and AFP. Additional information on the 10.4.7 patches can be obtained from Apple's security update site and from News.com.

Attack code for Windows flaw heightens risk

charlie — Tue, 27 Jun 2006 09:44:00 GMT

Computer code that exploits a "critical" vulnerability in Windows has been released on the Internet, prompting Microsoft to issue a security advisory.

The attack code takes advantage of a flawed Windows routing and remote access component for which Microsoft released a patch two weeks ago, the company said in its advisory published late Friday. The company is not aware of any actual cyberattacks that use the exploit code, it said.

Source: News.com

PGP & GPG

charlie — Tue, 27 Jun 2006 09:39:00 GMT

"PGP (Pretty Good Privacy), as most Slashdot readers know, is one of the most popular software encryption programs ever. It is so good and so effective that in the early 1990s the FBI launched a multi-year investigation against Phil Zimmerman, the creator of PGP, for possible violation of federal export laws, especially ITAR (International Traffic in Arms Regulation). After many years of investigation, the FBI ultimately dropped its case against Zimmerman. Even though PGP is synonymous with end-user encryption, there have only been a few books written on the subject. Jump to 2006, and PGP & GPG: Email for the Practical Paranoid is a welcome title." Read the rest of Ben's review.

Source: http://slashdot.org/

Check out the top 100 Network Security Tools

charlie — Fri, 23 Jun 2006 14:40:00 GMT

Fyodor asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed him to expand the list to 100 tools, and even subdivide them into categories. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. You will discover several powerful new tools this way. Any newbie, not knowing where to start should go to this site.

Cryptography for kids

admin — Thu, 15 Jun 2006 15:23:00 GMT

Still young, but you want to be a codemaker or codebreaker? Check out the CryptoKids site.