Digital Signing Demo

This post demonstrates the use of a digital signing function to ensure data within a table is unaltered outside a given set of stored procs. To understand how these and other crytographic functions can be employed to improve the security of database applications, please review this post.

The first step in the demonstration is to create an empty database within which sensitive data will be housed:

USE master;
GO

IF EXISTS (SELECT * FROM sys.databases WHERE name = ‘SigningFunctionDemo’)
   DROP DATABASE SigningFunctionDemo;
GO
CREATE DATABASE SigningFunctionDemo;
GO

Next, a table will be created to house some sensitive data.  It’s important to note that for this demonstration, the data is not being encrypted but it could be to make unauthorized access and modifications more challenging:

USE SigningFunctionDemo;
GO

CREATE TABLE dbo.MySensitiveData (
   Id INT NOT NULL IDENTITY(1,1),
   MyData NVARCHAR(25) NOT NULL,
   MySignature VARBINARY(256) NOT NULL
   );
GO

To support signing, an asymmetric key will be created along with two stored procedures making the signing and verification calls on behalf of the application:

CREATE ASYMMETRIC KEY MySigningKey
    WITH ALGORITHM = RSA_2048
    ENCRYPTION BY PASSWORD = N’asd!i36oheQ#wr8iW#%qwei4!orqhq9w7as’;
GO

CREATE PROC dbo.spPutData @MyData NVARCHAR(25)
AS
   INSERT INTO dbo.MySensitiveData (MyData, MySignature)
   SELECT
    @MyData,
    SIGNBYASYMKEY(
         ASYMKEY_ID(‘MySigningKey’),
         @MyData,
         N’asd!i36oheQ#wr8iW#%qwei4!orqhq9w7as’
         );
GO

CREATE PROC dbo.spGetData @Id int
AS
 SELECT
    MyData,
    VERIFYSIGNEDBYASYMKEY(
  ASYMKEY_ID(‘MySigningKey’),
  MyData,
  MySignature
  ) AS IsValid
 FROM dbo.MySensitiveData
 WHERE  Id = @Id;
GO

With this in place, data can now be placed into the database along with a signature:

EXEC dbo.spPutData N’This is my sensitive data’
GO

Accessing the table directly, the data and its signature can be seen:

SELECT * FROM dbo.MySensitiveData
GO

Read more: MSDN Blogs

Posted via email from Jasper-Net

Visidon Applock sees your pretty face, grants you Android access (video)

In the event you got lulled into a groovy seat dance by that most excellent muzak above, let us repeat - this app does not protect your lockscreen. That said, Visidon's Applock will prevent the privacy-adverse from messing with your personally curated app collection. Have a nosy significant lover? No sweat -- snap a pick with your front-facing cam, enable the face-lock in your settings, and those sexts are as good as blocked. It's far from foolproof, however, as some comments indicate an extended bit of facial-wriggling tricks the app into unlock mode. Oh well, you're so vain, you'll probably think this Android market link is for you -- don't you?


Read more: Engadget
QR:

Posted via email from Jasper-Net

הצפנת קבצים בודדים בתצורת EFS – Encrypted File System–חלק א'

שלום לכולם,
כאן דן ויזנפלד מצוות התמיכה של Microsoft.
כמעט כל אחד מאתנו עושה שימוש במידע אישי, שמסיבה כזו או אחרת, הוא אינו מעוניין לאפשר למשתמשים אחרים גישה אליו.
פתרונות האבטחה שמוצעים היום בשוק (חומות אש ותוכנות אבטחה שונות) יכולים לסייע לכם במצבים בהם קיימת כוונה של פורץ כזה או אחר לגשת למידע האישי שלכם מרחוק (וגם כן, לא בכל המצבים).
עם זאת, אף אחד מהפתרונות הללו לא יכול להגן עליכם במצב בו לאותו פורץ יש גישה פיזית ישירה למחשב שלכם.
Microsoft הציגה במערכות ההפעלה האחרונות (בכל הגרסאות העסקיות של מערכות ההפעלה החל מ-Windows 2000) יכולת הצפנה מתקדמת ביותר, הידועה בשם EFS – Encrypted File System.
במדריך הבא (המחולק לשני חלקים), אבקש להסביר לכם יותר על שיטת ההצפנה הזו – בטרם נלמד כיצד להפעילה וכיצד להשתמש בה.
למה חשוב להכיר את המנגנון לעומק?
1. בכדי למנוע מצבים טרגיים נפוצים בהם מצפינים קבצים מסוימים בצורה לא נכונה, ולאחר מכן לא ניתן לפתוח יותר את אותם הקבצים.
2. בכדי למנוע מצבים טרגיים לא פחות בהם ההצפנה בוצעה בצורה לא תקינה, ומידע שחשבתם שהוא מוצפן ומאובטח – בעצם גלוי לעיני כל.
טוב, אז לאחר שהבנו את חשיבות ההיכרות עם מנגנון ההצפנה, נלמד טיפה יותר על איך הוא עובד. אבל לפני שאגע ואסביר כיצד עובד המנגנון, חשוב להכיר כמה מונחים בסיסיים בתורת הקריפטוגרפיה:
הצפנה סימטרית –
שיטת הצפנה בה המפתח בו נעשה שימוש על מנת להצפין את המידע, הוא היחיד שגם יכול לשמש למטרת פענוח המידע שהוצפן.
כלומר, אם הצפנתי מידע באמצעות מפתח מסוים, עלי להעביר את אותו המפתח לנמען שלי יחד עם המידע שהוצפן, על מנת שהוא יוכל לפענח אותו.
הצפנה א-סימטרית –
שיטת הצפנה בה המפתח בו נעשה שימוש על מנת להצפין את המידע הוא אינו המפתח בו נעשה שימוש על מנת לפענח את המידע.

Read more: MS Support blog

Posted via email from Jasper-Net

LulzCheck

This summary is not available. Please click here to view the post.

25 Linux Server Hardening Tips

When it comes to having a Linux server hosted in a data center or it is not behind any kind of Firewall or NAT device there are a number of security requirements that need to be addressed. Linux servers generally come with no protection configured by default and depending on the hosting company or distro can come preconfigured with many services installed that are not required, including Web Servers, FTP Servers, Mail Servers and SSH Remote Access.

The following is a compilation of various settings and techniques you can employ to harden the security of your vulnerable Linux systems. While I have tried to put them in order of the most important features first I would recommend all of these options be used on your critical production servers.

TIP #1 – Strong Passwords
Always create long passwords that contain upper and lower case letters, numbers and non alpha-numeric characters. Enforce password ageing so users need to change their passwords regularly. Lock user accounts after a certain number of failed login attempts.

TIP #2 – Use Public/Private Keys
Make use of Public/Private SSH keys for login of remote users instead of passwords, this provides the benefit of turning off password authentication in SSH so that your server can’t be Brute-Force cracked. However this does introduce a new problem whereby a malicious person could compromise a user’s computer or steal their laptop and then have access to the server. This can be overcome by using a password on the client certificate which must be entered before connecting, a kind of two factor authentication.

TIP #3 – Disable Root Login
Disable the Root user from being able to login either via the console or remote SSH connections. Instead have users use Sudo to run programs that require root privileges, or use sudo su to change to the Root user once logged in. This provides an audit path to show which user installed a piece of software or ran a program.

Read more: monitis

Posted via email from Jasper-Net

Encrypt the Data

SQL Server supports the encryption of data through a number of mechanisms.  These include:
   Cryptographic functions for the encryption and signing of individual values,
   The Transparent Data Encryption (TDE) feature through which the data and log files associated with a database are encrypted, and
   Support for SSL and IPSec to encrypt data as it is transmitted between the server and clients.

In addition, SQL Server supports an internally managed cryptographic key infrastructure but may also integrate with an externally managed infrastructure through its Extensible Key Management (EKM) interface.

To get a more in-depth and complete overview of the SQL Server cryptographic capabilities, please refere to this white paper.


Cryptographic Functions
With SQL Server 2005, a collection of cryptographic functions were introduced into the database product for the encryption and signing of individual values. Prior to the 2005 release, applications could store encrypted values and signatures within the database but relied on external functions to perform the encryption and signing work.  By moving the functions into the database engine, SQL Server provides greater and more consistent access to cryptographic functionality and allows an application to more easily leverage a centrally managed encryption key infrastructure.


The Encryption Functions
The encryption functions support encryption using either symmetric or asymmetric keys.  Symmetric key encryption has less  performance overhead while asymmetric key encryption provides stronger protection.

To perform symmetric key encryption, SQL Server provides two functions: EncryptByKey() and EncryptByPassPhrase().  The EncryptByKey() function leverages a symmetric key registered in advance with SQL Server.  With the EncryptByPassPhrase() function, a temporary symmetric key is generated using a passphrase supplied with the function. The choice of which function to employ comes down to the needs of the application and the availability of key management support within the organization.

Read more: MSDN Blogs

Posted via email from Jasper-Net

Encrypt And Password Protect Sensitive Information In Your Emails

Disseminating sensitive information online isn’t easy and many people use different techniques to mask the content of private messages. Some might give dummy names to files or send them as zipped attachments but needless to say these measures don’t provide much security. Large companies might resort to other more expensive ways of securely transmitting sensitive information but a simple solution comes from Encipher.it which allows you to encrypt text on the AES encryption standard and protect it with a password. Recipients of encrypted messages will need the password to read your message.

Read more: Addictive tips

Posted via email from Jasper-Net

Anatomy of a PDF Hack

By Tomer Bitton, security researcher, Imperva

PDFs are widely used business file format, which makes them a common target for malware attacks. Because PDFs have so many "features," hackers have learned how to hide attacks deep under the surface. By using a number of utilities, we are able to reverse engineer the techniques in malicious PDFs, providing insight that we can ultimately use to better protect our systems. We'll take you through the process that a hacker uses to insert a piece of malware into a sample PDF.

By opening the PDF file with a text editor it is possible to see that there are some encrypted objects. The first circle, object 11, is a command to execute Javascript in object 12. The second and third circles, are a command for object 12 to filter the Javascript with AsciiHexDecode. The main reason for this filter is to hide malicious code inside the PDF and avoid anti-virus detection. This is our first red flag.

Read more: Read Write web

Posted via email from Jasper-Net

Build Secure Database Applications with Microsoft SQL Server Series To Be - Post 0 of X

• Databases are prime targets because they are foundational to many applications and are the principle stores of sensitive data.

• Responsibility for the protection of our databases is distributed between multiple groups. While an optimist might see this as providing multiple layers of protection, I'm concerned that without one group or individual having overarching responsibility, there tend to be significant gaps in security policies and procedures.

With this in mind, I am speaking with folks about ways they can improve the security of their database applications built upon Microsoft SQL Server. My objectives are to:

• Improve awareness of features and practices that can be used to make SQL Server databases tougher targets, and

• Encourage folks to engage in dialogs within their organizations about database security to ensure gaps are identified and addressed.

In order to engage a broader audience, I am providing much of this information here as a series of blog posts organized around the high-level practices that should be employed. As entries are posted, I'll convert each of these practices into links to make accessing of this information a bit easier:

• Harden the database server
• Control network communications
• Limit access to database services
• Assign minimal permissions
• Encrypt your data
• Defend against common exploits
• Monitor and enforce policies

Read more: Greg's Cool [Insert Clever Name] of the Day

Read more: Build Secure Database Applications with Microsoft SQL Server

Posted via email from Jasper-Net

Secure the Authentication Process

SQL Server supports two authentication mechanisms: Windows authentication and SQL Server (SQL) authentication.  With Windows authentication, SQL Server simply validates a user’s Windows identity with an identity management solution such as Active Directory.  With SQL authentication, SQL Server generates, stores, and manages instance-specific user name and password information.  While SQL Server can be configured to employ SQL authentication in addition to the Windows authentication default, it is strongly discouraged as SQL authentication is vulnerable to brute-force attacks. That’s not to say that Windows authentication is invulnerable to attack. In fact a new feature, Extended Protection, was introduced with SQL Server 2008 R2 to thwart one such attack.

Extended Protection

The man-in-the-middle (MITM) attack is executed by a malicious application which impersonates the SQL Server service to a client and the client to the service.  In doing so, the malicious application places itself in the middle of the communications channel between the client and server and from this vantage point can intercept messages transmitted between the two. (This attack is also referred to as authentication relay.)

To thwart this attack, SQL Server registers its identity as a Service Principle Name (SPN) with Active Directory (typically at the time of installation).  The client obtains the SPN as part of the connection process and validates this against the SPN held by SQL Server.  If the malicious application does not have access to the SPN, the connection is not completed.

This process is referred to as service binding and it protects against scenarios where the malicious application lures the client to it.  If the client voluntarily connects to the malicious application (usually due to spoofing), then channel binding can be employed to block the MITM attack.

With channel binding, the SQL Server service sends the connecting client the public key associated with a private key it maintains.  The client generates a value known as the Client Binding Token (CBT), encrypts it with the service’s public key, and transmits the encrypted CBT to SQL Server. Using its private key, SQL Server decrypts the CBT and then uses the CBT to encrypt the channel between it and the client.  Without the private key, the malicious application cannot decrypt the CBT and therefore cannot access the data passed between the client and server.

Read more: Data Otaku

Posted via email from Jasper-Net

Google's Browser Interception Plugin For Chrome

Google has released a passive in-the-browser reconnaissance plugin, called the 'DOM Snitch'. By intercepting JavaScript calls to the browser infrastructure, it detects common cross-site scripting, mixed content and insecure DOM changes. The plugin displays the DOM modifications in real time so developers don't have to pause the application to run an outside debugger. It exports traces for easier collaboration and analysis.

Read more: Slashdot

Posted via email from Jasper-Net

WordPress.org Hacked, Plugin Repository Compromised

Back in April hackers gained access to the WordPress.com servers and exposed passwords/API keys for Twitter and Facebook accounts. Now, hackers gained access to Wordpress.org and the plugin repository. Malicious code was found in several commits including popular plugins such as AddThis, WPtouch, or W3 Total Cache. Matt Mullenweg decided to force-reset all passwords on WordPress.org. This is a great remainder for all users not use the same password for two different services.

Read more: Slashdot

Posted via email from Jasper-Net

decompile-dump

Partial stuxnet source decompiled with hexrays, if anyone has better decompile tools feel free to contribute better versions. — Read more

http://twitter.com/stuxnetsource

Read more: GitHub

Posted via email from Jasper-Net

Project RIPS – Status

During the past month I spend a lot of time improving RIPS – my static analysis tool for PHP vulnerabilities. You can download the new version 0.40 here. In this post I will give a short project status report.

Whats new

There has been a couple of bugfixes and improving especially regarding file inclusions which are vital for correct analysis. Also RIPS now tries to analyse SQL queries on quotes before a decision on correct securing is made. However this feature is still not 100% working correctly in all cases.

// safe

$name = mysql_real_escape_string($_GET['name']);

mysql_query("SELECT * FROM users WHERE name = '$name'");

// vulnerable

$id = mysql_real_escape_string($_GET['id']);

mysql_query("SELECT * FROM users WHERE id = $id");

The main new visible features are graphs. Besides the list of all scanned files RIPS now gives a nice overview on how files are connected to eachother, what files accept sources (userinput) and what files have sensitive sinks or vulnerabilities. It also splits the scanned files in main files (blue) and included files (red) so that entry points can be spotted easily.

Read more: Reiners’ Weblog

Posted via email from Jasper-Net

Mobile Security – Users Just Don’t Care

It’s not that users “don’t want to keep their data safe”. They do. Most corporate users don’t want their personal or corporate, private information, available to someone else. They don’t want their email stolen or their contacts pillaged. So why do people insist on ignoring the multitude of security recommendations on how to have a more secure mobile work environment? The answer to this question is that inside, users really just don’t care.

The average corporate user of a mobile device has a litany of reasons why they think they don’t need to listen to the advice of their security organization. Some of these reasons are more legitimate than others, but what they really boil down to is the fact that they all indicate a lack of economic incentive when compared against required effort. The end result is that the user just doesn’t care about the problem.

• There are so many phones out there, it won’t happen to me. The chances are too slim.
• I don’t understand the danger here? I mean it’s a smartphone, nobody attacks phones.
• What do you mean I have to act in a secure manner? How do I do that?
• But I downloaded this app from the official marketplace. What do you mean it’s not secure?!
• You put firewalls and antivirus garbage on my laptop and it’s slow as heck, and I STILL get infected. Security doesn’t work.

Read more: Veracode

Posted via email from Jasper-Net

Following the Money In Cybercrime

  Five dollars for control over 1,000 compromised email accounts. Eight dollars for a distributed denial-of-service attack that takes down a website for an hour. And just a buck to solve 1,000 captchas. Those are the going rates of cybercrime, the amounts criminals pay other criminals for the technical services necessary to launch attacks. This criminal underground was detailed Wednesday in a highly entertaining talk given by researcher Stefan Savage at the annual Usenix technical conference in Portland, Ore. Savage's research into the economics of cybercrime began as lip service to satisfy the terms of a government grant, but it turned out to be the key to stopping computer attacks. Targeted methods — such as using CAPTCHAs — don't stop criminals, but they add to the cost burden and put the inefficient criminal organizations out of business, letting security researchers focus only on the ones that survive.

Read more: Slashdot

Posted via email from Jasper-Net

Security Alert: Malware Found Targeting Custom ROMs (jSMSHider)

The Threat

Recently we discovered a new Trojan in the wild, surfacing in alternative Android markets that predominately target Chinese Android users. This Trojan, which we’ve dubbed jSMSHider due to the name used inside the APK, predominantly affects devices with a custom ROM. Custom ROMs are custom built versions of Android, which have been released by third-party groups. The manufacturer or carrier do not traditionally endorse custom ROMs. (If you do not know what a custom ROM is, and do not think you’ve downloaded a custom ROM, you are probably not affected.)

Who is Affected

To date, we have identified eight separate instances of jSMSHider and because the distribution is limited to alternative app markets targeting Chinese Android users, the severity for this threat is low. This Trojan, jSMSHider, predominantly affects devices where the owner has downloaded a custom ROM or rooted phone.

Due to where the malware was found and the limited number of devices the malware could infect, we believe the impact to be limited.  All Lookout users are automatically protected from this malware.

How it works

The application follows the common pattern of masquerading as a legitimate application, though a few extra permissions have been added. At first glance, it appears like other recent Android Trojans that tries to take control over the mobile phone by rooting the phone (breaking out of the Android security container), but instead jSMSHider exploits a vulnerability found in the way most custom ROMs sign their system images. The issue arises since publicly available private keys in the Android Open Source Project (AOSP) are often used to sign the custom ROM builds.  In the Android security model, any application signed with the same platform signer as the system image can request permissions not available to normal applications, including the ability to install or uninstall applications without user intervention.

Read more: Lookout security

Posted via email from Jasper-Net

Japan Criminalizes Virus Creation

Japan's parliament enacted legislation Friday criminalizing the creation or distribution of computer viruses to crack down on the growing problem of cybercrimes, but critics say the move could infringe on the constitutionally guaranteed privacy of communications. With the bill to revise the Penal Code passing the House of Councillors by an overwhelming majority, the government intends to conclude the Convention on Cybercrime, a treaty that stipulates international cooperation in investigating crimes in cyberspace.'

Read more: Slashdot

Posted via email from Jasper-Net

התגלה: טרויאני לגניבת BitCoins

חברת סימנטק מדווחת על גילוי סוג חדש של סוס טרויאני, אשר תפקידו לגנוב לכם את הארנק הוירטואלי המכיל את מטבעות ה-BitCoins שלכם.

wallet.dat

הסוס הטרויאני החדש נוצר כדי לחפש במחשבים הנגועים את הקובץ של הארנק הוירטואלי המחזיק בנתונים של מטבעות ה-BitCoins שבבעלות המשתמש במחשב. עם איתור הקובץ הספציפי, הסוס הטרויאני לוקח את הקובץ ומעביר אותו באמצעות FTP אל כותבי הטרויאני. נזכיר, כי כל שיטת ה-BitCoins מבוססת על כך שהתיעוד של המטבעות שבבעלותכם מאוחסנת כקובץ במחשב שלכם. בעל הקובץ, הוא בעל ה-BitCoin.

המטבע עצמו נשמר על המחשב שלכם כקובץ אותו ניתן לאחסן כמו כל קובץ אחר על הדיסק קשיח או כל מדיה אחרת. באותו אופן, הוא גם יכול "ללכת לאיבוד". אם הולך לכם לאיבוד הזיכרון הנייד שעליו קובץ ה-BitCoin, אבד גם הכסף, כאילו אבד לכם הארנק הפיזי. אם קרס לכם הדיסק הקשיח, ולא הספקתם לעשות גיבוי לקובץ ה-BitCoin, אבד הכסף. בנוסף, יכול לקבל ולהחזיק ב-BitCoin רק מי שיש לו חשבון ברשת, עם מספר ייחודי משלו. ובהקשר של הטרויאני החדש, אם לוקחים לכם את הקובץ, לוקחים לכם את הכסף.

ניתן להגן?

אם אתה משתמשים ב-BitCoins, ההמלצה כרגע של סימנטק היא להצפין את קובץ הארנק שלכם עם סיסמא ארוכה במיוחד, כזאת שתקשה על הפורץ שחטף לכם את הקובץ לגשת אל התוכן שלו. בפועל, גם אם אתם יכולים להעביר את קובץ הארנק שלכם למדיה ניידת ולמחוק אותו מהמחשב המחובר לאינטרנט, הרי שברגע שתרצו להשתמש בארנק הוירטואלי תצטרכו ממילא לחבר אותו שוב לאותו מחשב, ולחשוף אותו לאותה סכנה, אם המחשב שלכם חשוד ככזה שאולי נדבק בסוס הטרויאני החדש.

Read more: newsGeek

Posted via email from Jasper-Net

18,000 accounts compromised in BioWare hack

Mass Effect developer the latest victim as mindless hacks sweep the industry

The sensitive personal data of more than 18,000 BioWare customers has been compromised in a new data hack, the EA studio has said.

BioWare discovered on Tuesday that an unauthorised user had gained access into its community servers associated with the Neverwinter Nights forums.

Personal data compromised includes usernames, passwords, email addresses and birth dates, BioWare has said.

No credit card data has been taken.

“We have emailed those whose accounts may have been compromised and either disabled their accounts or reset their EA Account passwords,” read a BioWare statement.

Read more: Developer

Posted via email from Jasper-Net