Anmol Malhotra : Reading a Hacker's Mind

New Security Testing Tool is out called - "Watcher"

2009-04-17T23:30:00Z

Talking to Bryan Sullivan on the SDL team last week, I came to know about a cool new security testing tool - "Watcher". This is a plugin to web debuging proxy Fiddler and checks for more than 35 different vulnerabilites. Yes, its Free!!

This new plugin can be downloaded from http://websecuritytool.codeplex.com/. Be sure to install Fiddler before you install Watcher. For more details on the tool - Read this blog post.

Happy bug hunting !!
Anmol Malhotra

Microsoft IT Information Security (InfoSec) - New Site

2009-03-10T01:24:00Z

We’ve recently launched a site on MSDN. Visit Microsoft IT's Information Security (InfoSec) group here. On the site, you'll find the latest news on InfoSec including security tools, webcasts and “How do I?” videos. If you’re not familiar with InfoSec, we’re responsible for information security risk management at Microsoft. We’ll let you know as new information is posted to our site.

Microsoft IT Information Security (InfoSec)
http://msdn.microsoft.com/en-us/security/dd547422.aspx

Thanks,

Anmol Malhotra

Information Security

February 25, 2009: MSDN Webcast Software Security with Static Code Analysis Using CAT.NET (Level 200)

2009-02-16T22:37:00Z

CLICK HERE TO REGISTER NOW

Presenter:

Andreas Fuchsberger, Senior Software Design Engineer, Microsoft Corporation

Summary:

In this webcast, we provide an overview of what static code analysis is and typical coding errors that static analysis can and cannot detect. We also look at the recently released CAT.NET tool and how it helps with the detection of security flaws.

Thanks,

Anmol Malhotra

Senior Security Engineer.

Discover the New HelloSecureWorld Security Resource

2008-02-01T09:10:00Z

www.HelloSecureWorld.com provides a powerful experience for promoting security awareness and education in the developer community by surfacing existing content as well as new.

Well, If you like learning while having FUN then hellosecureworld.com is the resource for you. It brings non traditional ways to provide security awareness and education among the developer community - Virtual lab environment, hands on labs, tutorials, videos, play attack defender games and much more.

Happy Learning !!

- Anmol

First Line of Defense for Web Applications - Blog series

2008-01-14T10:00:00Z

Hello folks,

I just completed my blog series on Input Validation Strategies on our hackers blog - http://blogs.msdn.com/hackers

Dan Cornell summarized this series perfectly on his blog http://denimgroup.typepad.com/denim_group/2008/01/first-line-of-d.html - here is what he had to say -
--------------------------------------------------------------------------------------------------------------------------------------------------------------

First Line of Defense for Web Applications - Series of Great MSDN Blog Posts

By Dan Cornell

There is a fantastic set of blog posts over on the Hackers blog on MSDN taking a deep look at input validation. Input validation is the most important thing you can do to make applications safer from malicious attackers. If input validation is implemented well, you can even have glaring vulnerabilities in your application code but have the validation layer render them unexploitable or at least reduce the impact. This isn't true all the time and input validation won't protect against many classes of attack, but starting with input validation as your foundation puts you in a position to avoid a lot of really silly, easy to find and exploit vulnerabilities.

The installments are:

My favorite part about this series are the examples in parts 4 and 5. They go through common, ineffective protection measures that teams implement and provide examples of attack payloads that circumvent these protections. This is great information because a lot of development teams are using these ineffective protection mechanisms ("we replace every ' character with '' to prevent SQL injection...") and think that they are safe. Having a set of clear and concise counter-examples is very useful in being able to see how applications remain exposed.

The series of articles also does a great job of demonstrating how black-list (negative) validation is a not-very-secure and ultimately brittle approach to validation. They even provide an example of how the built-in ASP.NET Cross Site Scripting (XSS) protection (based on black-list validation) has been defeated in the past.

Even though there are a lot of ASP.NET specific examples, the principles covered in these posts apply to anyone developing applications deployed in a hostile environment - regardless of implementation platform.

--Dan
dan _at_ denimgroup.com

PS - I took the photo while riding ATVs on the beaches in Costa Rica last fall.

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Thanks & Stay Secure
Anmol Malhotra

XSSDetect Public Beta now Available!

2007-10-23T04:55:00Z

XSSDetect is available for download now. It's tool which helps identify Cross Site Scripting Vulnerabilities in .NET code.

XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code.

Here's a screenshot:

More information including link to download available here.

- Anmol Malhotra

How to Prove your Digital Identity?

2007-10-13T08:49:00Z

Abstract:

With the dawn of the internet, online businesses and millions of applications have become part of our lives. But these application and its users does face many challenges. Applications level threats have grown tremendously. Online identity threat, phishing and privacy concerns are on a rise. Almost everyone today has a digital identity and amount of accounts and passwords are getting difficult to track. This paper aims in understanding all you need to know about different ways to prove your identity to authenticate against an application. It discusses present methods like passwords, digital certificates, smart cards to authenticate identities and moves on introducing windows cardspace to manage diverse digital identities effectively. Limitation of each technology and application specific scenarios where these different methods are effective will also be discussed.

What is a Digital identity?

There are tons of definitions out there for the word Identity. One of the most interesting one which I observed is the one from Webster’s dictionary which describes identity as “Collective aspect of the set of characteristics by which a thing is recognizable or known.” It is the sameness of essential character, individuality, or the fact of being the same person as one claims to be. So your identity can include your name, age, your social security number, your DNA, birthmarks, fingerprints, or simply characteristics of your body. Just as the word suggests your identity is something by which you can be identified.

In the physical world each and every one of us are uniquely identified and we possess identity proofs for different purposes. Physical identities ranges from your country issued passport, driving licences, to social security number and credit cards, etc. We can’t even imagine a world without identification, if would have been a nightmare if people did not have names and identity proofs in the physical world. Identities have the same importance in the digital world as well.

But fact today is that we not only live in our physical world but with the tremendous growth of internet where businesses have grown from leaps and bounds, we all live in this digital world as well.

When you identify yourself to this digital world with information about who you are is actually a digital identity which is being represented. Digital identity is how you get identified on the World Wide Web. According to Wikipedia Digital identity also has another common usage as the digital representation of a set of claims made by one digital subject about itself or another digital subject. A digital subject is an entity represented or existing in the digital realm which is being described or dealt with. Digital subjects can be living or non living. They can be humans, devices or computers, web servers or digital resources.

We all have many difficult to manage digital identities as we do in the physical world. Online banking applications, personal and official emails, online communities, blogs and the list goes on and on.
--------------------------------------------------------------------------------------------------------------------------

Above is just a glimpse of my new paper around Digital Identities.

I have started writing on digital identities and various authentication mechanisms available to prove your digital identity- past, present and future.

Stay tuned for more.....

- Anmol Malhotra
Security Consultant
ACE Services Team

I am in Redmond now.....

2007-09-24T01:32:00Z

Hello folks,

It's been a while since my last blog. Well I have been keeping busy with relocating all the way from India to US. Yes, I have now joined Microsoft -Redmond team. Leaving a country is not all an easy task folks but i am glad things went well.
Well I am liking it here & I will be back in action on my blog with lot of intresting things about security very soon.

Stay Tuned........

Cheers,
Anmol Malhotra
Security Consultant
ACE Services

Web Application Security Basics - Strong Naming an Assembly

2007-07-02T17:21:00Z

Strong Naming an Assembly: Assembly should be strongly named à Proves the integrity of the Assembly and provides a means using which an Assembly is uniquely identified.

Concept: To prove the integrity of the assembly, firstly the hash of the assembly is taken and then encrypted with the private key of the publisher. The related public key is kept in the manifest of the assembly along with the assembly name and the name of the algorithm used for hashing.

1) Genrate the key pair using sn utility (sn –k file.key)

2) Extract the public key (sn –p file.key pub.key)

3) Make delaysign = true so that the program can use the dll.

4) To push it in GAC use register verification skipping option (sn –Vr dll)

Best Practices / checklist

þ Check for the [assembly: AssemblyKeyFile (@ “C:\Key\xyz.snk”)] directive in the assembly.cs file.

þ Check for the size of xyz.snk file it should be of just 160 bytes (if it consists just the public key). If it is of 596 bytes( it contains both public and private key).

þ Recommend for delay signing the assembly while in the Test UAT.

þ Recommend to keep the Private key in a folder properly ACL’d while resigning it during shipping the assembly into production. (sn –R dll file.key).

TechMela'07 My Threat Modeling Session details........

2007-06-09T13:44:00Z

Folks,

Here are my session details for TechMela 2007

My deep dive session is scheduled for 16th June : 11:00 AM to 12:00 PM : Threat Modeling Strategy for LOB applications.

You can checkout more details here... http://www.techmela.com/speaker.htm & detailed agenda from http://www.techmela.com/tec_agenda.htm link.

See you,
Anmol Malhotra
Security Consultant
ACE Services
anmol(dot)malhotra(at)microsoft.com

ACE is Hiring again ................ Security Folks in Hyderabad India

2007-06-06T12:44:00Z

Hi Guys,

We are Hiring in Microsoft ACE- Application Consulting and Engineering Team. Positions are based out of Hyderabad, India campus. We are looking for folks with profile something similar to this- http://blogs.msdn.com/ace_team/archive/2006/07/14/666013.aspx

If you are passionate about Security & have the zeal, we would like to hear from you.

Keep it secure,

Cheers,
Anmol Malhotra
Security Consultant
ACE Services
anmolm(at)microsoft(dot)com

I am gonna Rock TechMela 2007 [13th - 16th June]

2007-06-01T14:35:00Z

Hi guys,

I am going to present deep dive session on Threat Modeling Process and our very own Threat analysis and modeling Tool - TAM in TechMela 2007 in Mumbai [13th - 16th June]

For more information on the event registerations, sessions or speakers check out http://www.techmela.com

See you in mumbai.........

Here is the my session title and abstract...

Session Title :

Threat Modeling Strategy for Line Of Business applications.

Abstract :

To protect your applications and build a secure system, it is imperative that you identify and understand all of the potential threats to your applications. Threat modeling is an increasingly valuable discipline, and one that should form part of your application design phase.

The process of threat modeling is built on a simple principle: in order to feasibly build a secure system, one must understand all the threats in that system. The challenge, however, has been to make threat modeling easily adoptable by and beneficial for non-security information technology professionals (business owners, architects, developers, testers, etc.). With over 3 years of experience in threat modeling, Microsoft has developed and refined a threat modeling process to a point where minimal input (non-security related!) is used to produce a feature rich threat model used to manage the risk to software applications during the SDLC and beyond. Using the Microsoft Threat Analysis & Modeling v2.1 tool, application development teams can create a threat model that helps detect security flaws and evaluate application threats and vulnerabilities.

This session will go over this threat modeling process, outline its benefits, showcase the Threat Analysis & Modeling tool [TAM] and show how threat modeling fits into the Microsoft Security Development Lifecycle (SDL) for IT.

Cheers

Anmol Malhotra

Security Consultant

anmol(dot)malhotra(at)microsoft.com

Cross – Site Scripting Test Case -

2007-05-08T17:26:00Z

Check for persistent Cross attack-Site Scripting bugs through the input form fields

Steps:

o Identify entry points that collect user input such as Form inputs [e.g text boxes], query string parameters, etc.

o Check if the user input saved to database and same data is fetched back and rendering back to screen.

Enter this : <Script>alert('XSS')</script> , "><script>('XSS')</script> , ;alert('XSS') , ');alert('XSS') , javascript:alert('XSS')
In data rendering page, If this pops up an alert box saying “XSS” attack was successful.
Depending on the context of the output this payload might need more tweaking. Do a View Source to find where & how the input was echoed back.

Cheers,

Anmol Malhotra

Security Consultant
ACE Services

Is there a Firewall for Humans ??

2007-04-02T15:05:00Z

<Alice> Good Morning, this is Company’s Technical Support, I am Alice speaking, how can I help you?

<Bob> Hi Good Morning Alice, this is Bob Davis- Head of Marketing and sales. I am in the middle of a presentation with one of the biggest customers in our state, but I am unable to access my account remotely. Can you please reset my password?

<Alice> uuuh, Sir I am not sure I can do that now

<Bob> I need to demo our latest emailing system or we will lose this opportunity. Do you want our company should lose this million dollar contract for a stupid password? I am unable to RAS in right now & I can’t let my customer waiting any more. Our company reputation is at stake. Now can you get this thing done for me???

<Alice>hmm ohh ok sir, give me a minute & I will reset your password

<Bob> Thanks a ton! Appreciate your help Alice. My account name is smartbob

<Alice> Your password has been reset. Please try connecting now. it is Qa89%500

<Bob> Got that. Thanks again.

Above is a typical case of a social engineering attack. This kind of attack can only be mitigated by User Educations and awareness. Technology can aid in protection but it has its own limits. Vista has some cool features to protect users falling in attackers trap.

Learning how to spot social engineering techniques is the next step and the new Windows Vista operating system makes that easier to do:

•	Internet Explorer 7 is available for Windows Vista and has a Phishing Filter built in that scans and alerts users to potentially harmful phishing sites.
•	Windows Vista Parental Controls offer parental controls for children to help prevent kids from downloading unwanted software.
•	Windows Defender helps you avoid spyware and other malicious software that can be part of a social engineering scam.
•	User Account Control built into Windows Vista requires your consent before allowing a potentially dangerous program to run. This helps reduce the impact of viruses, spyware, and other threats you might encounter through social engineering.

More information @ http://www.microsoft.com/athome/security/email/socialengineering.mspx

Security Tools for Testers- Part II

2007-02-18T13:25:00Z

Welcome to the Security Tools for Testers Part II, in Part I we looked at security tools available for developers which can enable them to indentify security issues upfront in the development cycle. Let’s move up the chain and see what tools testers can leverage when they test web applications.

1. HTTP Debuggers type tools

Fiddler - Public version V1.2 is available at http://www.fiddlertool.com/fiddler

Single liner = Fiddler allows you to fiddle with HTTP traffic :)

Basically it is an HTTP debugging proxy that logs all HTTP traffic between your computer and the Internet. Fiddler enables you to inspect all HTTP traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler can investigate SSL http connections as well. Fiddler is a tool to be used by security testers who are looking for vulnerabilities in Web applications or client applications that integrate with the Web.

it has powerful features where you can intercept a request, change it & send it to the server OR you can intercept a response , change it & then send it to the client. You can even replay a captured session by hand crafting a custom request. very cool feature..... now let’s hit the nail question - What all security issues can fiddler help me indentify?

Input validation issues - specifically bypassing client side validations
Cross site scripting issues - fiddle with Query string, forms fields etc to verify this
SQL injection issues
Authorization issues
Information disclosure
Many more.....

IMO if testers while conducting functional testing on the web applications, can also test for these low hanging fruits security issues , using tools like fiddler, we can really decrease the number of security issues which pass on to our productions systems.

2. Network Analyzers

NetMon 3.0 has been released & i am in love with this tool:) specially with the powerful filter feature which allows you to filter captured or displayed packets. It has got a brand new User interface and many cool features. Network monitor is a sniffer tool which can help you analyze network traffic.

With Network Monitor, you can:

Capture frames (packets) directly from the network.
Display and filter the captured frames
Much more

Network monitor 3.0 has a command line tool as well to capture traffic. You can use the ‘Nmcap.exe’ tool to capture frames without the GUI. This tool is available in the Network Monitor 3 installation directory.
From a testing perspective, netmon can help you identify -

verify if the communication channel is in clear or encrypted text (very important)
identify performance bottlenecks

This tool will come in handy when you are reviewing a third party thick client & are not sure of the communication channel (clear or encrypted) it is talking on.

Where to find Network Monitor 3.0 ? -- simply click the link below....:)

http://blogs.technet.com/netmon/default.aspx

Cheers,

Anmol Malhotra