Posts

Showing posts from January, 2010

Preventing Banner Grabbing in Web Servers

After a lot of googling I found nothing significant...then a friend of mine Vaibhav actually helped me with his precious knowledge.
This is a quick reference for preventing Banner Grabbing:

For Apache Server:
Edit your httpd.conf file and make sure the following directives are present:ServerSignature OffServerTokens ProdDisabling the ServerSignature token instructs Apache to not print version information when an error page such as a “404-Not Found” is displayed. The ServerTokens directive, when set to Prod, instructs Apache to only display “Server: Apache” in the banner. If you do not want to display “Apache” in the Server tag but want to display fake in-formation such as “Server: Not-allowed,” you will need to1. Download the Apache source code.2. Edit the file httpd.h and change the value of the string “Apache” in the line#define SERVER_BASEPRODUCT "Apache"to something else:#define SERVER_BASEPRODUCT "Not-allowed"3. Recompile, reinstall, and restart Apache.*******…

Researchers criticise 3D Secure credit card authentication

Image
The researchers, Steven J Murdoch and Ross Anderson, criticises the current method of Credit-Card verification Scheme. They found that the current mechanism used by "Verified by Visa" from Visa and "MasterCard SecureCode" from Master Card are flawed.Banks worldwide are starting to authenticate online card transactions using the `3-D Secure' protocol.
They observe that:
The mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there is no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites by only entering bank passwords into sites they can identify as the bank's own site.
The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to …

Exploiting IE 6 with Aurora-Video

Here is a nice Metasploit video I came across somewhere using Aurora payload carrying out the attacks:
The "Aurora" IE Exploit in Action from The Crew of Praetorian Prefect on Vimeo.

Emergency IE 6 Patch released by Microsoft

The Aurora code which was used used to carry out attacks against IE6 recently can not be executed in newer version of IE, IE8. Because IE8 by default is enabled with DEP- Data Execution Prevention. This is a crucial anti-exploit mitigation, is enabled by default on IE8 only.

For the time being, till when a new patch comes for the above exploit, Microsoft's Security Research & Defense team has created and released a one-click "Fix It" tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser.
DEP is enabled by default for Internet Explorer on the following platforms: · Internet Explorer 8 on Windows XP Service Pack 3,· Internet Explorer 8 on Windows Vista Service Pack 1 and later,· Internet Explorer 8 on Windows Server 2008, and · Internet Explorer 8 on Windows 7.So for fixing the vulnerability run in nolder version of IE (IE6,IE7) run the DEP tool.More details about the DEP and the tool can be found here:http://blogs.technet.com/sr…

Why should we avoid using IE

Image
Given a long history of IE vulnerabilities we all know that every day in- day out some attacks are carried out using IE. Basically IE6 which you can find most of the users using even today in organizations by default. So why can't organizations replace IE with FF or Opera etc? All are free as well relatively safer than IE.
Here is a nice article I was going through. It analyzes the cause and and efforts given to replace IE. Surprisingly, after replacing IE with FF and Opera the calls to IT help desk for removing and cleanup of malware,spyware have gone down drastically!
More information read this:
http://stateofsecurity.com/?p=884

ForceHTTPS:Strict-Transport-Security

Use of HTTPS for securing the data in transmission from eavesdropping is well known.
The user can be sure that the data he is submitting is going over encrypted channel and is secure from sniffing.
Although it's secure but few factors can still be considered as major lapse in implementing HTTPS securely.All modern web browsers are willing to compromise the security of sites that use HTTPS in order to be compatible with sites that deploy HTTPS incorrectly.For example, if an active attacker presents a self-signed certificate, web browsers permit the user to click through a warning message and access the site despite the error.Certificate Errors happen due to Common-Name mismatchbetween the certificate name and hosting server;Self-signed certificates or expired certificates.This behavior compromises the confidentiality of the site's Secure cookies, which often store a second factor of authentication, and allows the attacker to hijack a legitimate user's session.
End-user being …

GMail goes HTTP-S 'by default'

Image
Today I noticed something new in the upside right corner of my Gmail account- "More Gmail Security".
Now Gmail offers HTTP-S connection by-default.Last June, a group of researchers and academics released an open-letter calling on Google protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar. And latest rise in incidents of Gmail account hijack from China made Google to act fast.
According to Google "We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do."

They are currently rolling out default https for everyone. If you've previously set your own https prefer…

Design review prior to Code review

Is it really necessary to design review before performing Code Review? Why is it so important?
I asked Security Ninja and what he replied was quite convincing. As I am new to Code Reviews I can't comment on that but his reply make thing more clear for me:

"Nilesh asked a question about the last blog post which I want to answer here. He asked whether the design review was required prior to performing the source code review. I feel like I’m sitting on the fence when I say that it depends on your SDLC and organisation but it really does. In a well structured SDLC with security integrated into each phase you could be reviewing the design a long time before the code itself. The design items have a couple of different uses in my eyes. They give you guidance when reviewing the design for an application from a security point of view and help you either sign off or reject the design. The second benefit of these checklist items is to check whether the code you are reviewing matches up to…

Mapping between WASC's Threat Classification and OWASP Top 10 2010

Image
The following table attempts to map between WASC's Threat Classification v2 and OWASP Top 10 2010 RC1.
People using one or both documents may find it useful.