Archive for February 2014
IDA pro book review
IDA pro book review
Book Title: The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler”
Author: Chris Eagle
Publisher: No Starch Press
Publication Year: 2008
ISBN-10: 1-59327-178-6
Number of Chapters: 26
Number of Pages: 615
Book Price: $69.95
Rate Content: Very good
The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” is probably the best book on disassembling and reverse engineering. Chris Eagle, the author, lives and breaths reverse engineering. This tool discusses the techniques for reverse engineering but uses the tool IDA pro as an example.
IDA pro is the world’s most popular disassembler and allows users’ to reverse engineer binary and executable files without access to the source code.
I purchased the tool last year for around 600 dollars US. I have been using Eagle’s book as both an in depth reference guide and a step-by-step manual. I have mastered most areas in Internet Security but have not quite grasped reverse engineering. Eagle explains very complex computer algorithms in an easy to understand way without insulting the reader’s intelligence.
Reverse engineering is a bleeding edge technology and the author keeps on updating the book with new advances in the reverse engineering space. The book that I read was the 2008 edition but there is also a 2011 edition with more up to date information.
For the beginner in reverse engineering, the author explains disassembly and reverse engineering in the first few chapters allowing and even telling more advanced user’s to skip these chapters.
The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” gives a very good high level overview of reverse engineering by having a getting started section and lot’s of excellent high resolution pictures to help explain the topics.
It is also very helpful that Eagle has actual screen shots from IDA pro and a website with exercises on it to help the user learn in a more interactive way. http://www.idabook.com/
The website even includes the Conficker virus for user’s to review actual exploit code. Reverse engineering is important when corporations want to analyze the what and how viruses work.
I think the real golden nuggets in this book, is Part III Advanced IDA Usage. This allows the user’s to customize their version of IDA with configuration files.
The book also explains some very technical details on library recognition and FLIRT signatures, extending IDA’s Knowledge, Patching binaries and other IDA Limitations, scripting with IDA, The IDA software development kit, the IDA Plug-in architecture, binary files and IDA loader modules, IDA processor Modules, compiler variations, Obfuscated code analysis, vulnerability analysis, debugging and other operating systems that you can use IDA pro on.
I personally purchased IDA pro for my Mac Book pro. If I didn’t have this book I would be completely lost on how to use IDA pro effectively. The actual help inside of IDA is sparse and this bridges the gap and allows the user to become a beginner to expert with a lot of blood sweat and tears saved.
My only real recommendation before buying this book is to make sure that you are serious about reverse engineering and have invested the 600 dollars into the full version of the tool. That is the only way you will get the full value of the book. IDA offers a free version of the tool but you will only scratch the surface of reverse engineering if that is the only copy of IDA you have.
In short this is the Bible of reverse engineering and Eagle is the expert on the domain. If you want the best and have the time to put into it I recommend you buy IDA and the book.
Matt Parsons, CISSP, MSM mparsons@parsonsiconsulting.com
Official (ISC2) Guide to the CSSLP book review
| Book Title Official (ISC2) Guide to the CSSLP | |
| Author Mano Paul, CSSLP, CISSP | |
| Publisher CRC Press Taylor and Francis Group an Auerbach Book | |
| Publication Year 2011 | |
| ISBN 13-978-1-4398-2006-5(ebook PDF) | |
| Number Of Chapters seven | |
| Number Of Pages 521 | |
| Book Price 47.94 | |
| Rate Content Awesome resource | |
| Review | ( |
I enjoyed reading the Official Guide to the CSSLP. I read it cover to cover and with the practice questions and the CSSLP practice questions I feel adequately prepared for the CSSLP exam I am taking in a few months. I liked the fact that Michael Howard wrote the foreword. He is considered one of the pioneers in the application security space. I have read many of his books and blog posts cover to cover.
A few of my peers in the industry wrote essays to get their CSSLP. I have my CISSP after taking the exam and having the necessary work experience. I enjoyed the layout of The Official Guide to the CSSLP book because it covers all of the domains for the CSSLP. I really enjoyed the real life examples in the book. You can tell that the author has a lot of real world experience and did a lot of research to write this book. I noticed on Amazon the author wrote an updated version of the Official Guide to the CSSLP. I may purchase that one as well. It was 20 dollars more than the one I have. This book provides the foundation for a solid application security engineer by covering the topics of; secure software, secure software requirements, secure software design, secure implementation, coding, secure software testing, software acceptance and finally software deployment, operations and disposal. The final chapter was most beneficial to me because I have the least experience in it. I enjoyed secure software testing but much of it was content I was already aware of being an ethical application penetration tester.
I like that ISC2 is creating this certification as it validates the experience and credentials of application security engineers like me. I really, really enjoyed the diagrams in the book. They were easy to read and allowed me to visually look at the content. The core concepts of confidentiality, integrity and availability are drilled in this book. My only complaint that there appears to be some duplicate content with stressing the confidentiality, integrity and availability of software systems.
The reference to all of the standards including, industry, government, international and national standards was beneficial. You find that many of the standards have similar goals of keeping with the confidentiality, integrity and availability of software applications. The only issue I have with these is that I am having a hard time remember some of the different NIST certifications, as they are only a small difference in numbering. I hope that with flash cards that I create from the content of the book I can adequately remember the content and be able to pass the exam.
I was thrilled that Open Web Application Security Project was mentioned multiple times in the book. I have been a long time member and have read many of the documents created by OWASP. I am also a board member of OWASP Dallas and enjoy the mission and vision of OWASP making applications more secure around the world.
I really enjoyed the review questions in this book. I imagine the new book has more updated review questions. I may have to buy that book just to get the new questions for the exam. The author has lot of expertise in software security and put a lot of hard work into the book.
Matt Parsons, CISSP, MSM mparsons@parsonsisconsulting.com
Java and .NET security
Java Security
http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html
Java has many built in security features that developers of your organization need to use. It is best not to build your own cryptography methods but use well established classes that have been tested and verified.
Java is has many built in security mechanisms that other languages do not including the following:
1. Strong data typing
2. Automatic memory management
3. Bytecode verification
Cryptography
· Comprehensive API with support for a wide range of cryptographic services including digital signatures, message digests, ciphers (symmetric, asymmetric, stream & block), message authentication codes, key generators and key factories
· Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
Authentication and Access Control
· Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture
· A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources.
Secure Communications
APIs and implementations for the following standards-based secure communications protocols: Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), and the Simple Authentication and Security Layer (SASL). Full support for HTTPS over SSL/TLS is also included.
Public Key Infrastructure
Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms:
· Certificates and Certificate Revocation Lists (CRLs): X.509
Certification Path Validators and Builders: PKIX (RFC
· Certificates and Certificate Revocation Lists (CRLs): X.509
· Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)
· KeyStores: PKCS#11, PKCS#12
Certificate Stores (Repositories): LDAP, java.util.Collection
http://docs.oracle.com/javase/6/docs/api/java/security/SecureRandom.html
java.security
Class SecureRandom
java.lang.Object java.util.Random java.security.SecureRandom
All Implemented Interfaces:
public class SecureRandom extends Random
This class provides a cryptographically strong random number generator (RNG).
A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong, as described in RFC 1750: Randomness Recommendations for Security.
A caller obtains a SecureRandom instance via the no-argument constructor or one of the getInstance methods:
SecureRandom random = new SecureRandom();
Many SecureRandom implementations are in the form of a pseudo-random number generator (PRNG), which means they use a deterministic algorithm to produce a pseudo-random sequence from a true random seed. Other implementations may produce true random numbers, and yet others may use a combination of both techniques.
Typical callers of SecureRandom invoke the following methods to retrieve random bytes:
SecureRandom random = new SecureRandom(); byte bytes[] = new byte[20]; random.nextBytes(bytes);
Callers may also invoke the generateSeed method to generate a given number of seed bytes (to seed other random number generators, for example):
byte seed[] = random.generateSeed(20); https://www.owasp.org/index.php/Insecure_Configuration_Management
http://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html
https://netbeans.org/kb/docs/javaee/secure-ejb.html
.NET security
For the .NET portion of the article most of the security vulnerabilities come from insecure configuration management in the web.config file.
The below setting is insecure.
<configuration>
<system.Web>
<customErrors mode="Off">
This one is secure.
<configuration>
<system.Web>
<customErrors mode="RemoteOnly">
It is a good idea to have a custom error page that states there was a problem please try again and have the user use the back button on the users browser.
Cookies Accessible Through Client-Side Script
In Internet Explorer 6.0, Microsoft introduced a new cookie property called HttpOnly. While you can set the property programmatically, you can set it generically in the site configuration.
Vulnerable
<configuration>
<system.Web>
<httpCookies httpOnlyCookies="false">
Secure
<configuration>
<system.Web>
<httpCookies httpOnlyCookies="true">
Custom Errors Disabled
When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’
([Microsoft][ODBC Microsoft Access Driver] Extra )
In query expression ‘UserID=’’’ AND Password =‘’
/_tblemployees/login3.asp, line 49
Vulnerable
<configuration>
<system.Web>
<customErrors mode="Off">
Secure
<configuration>
<system.Web>
<customErrors mode="RemoteOnly">
Having the detailed error message to the user or attacker could give an attacker information leakage about the system to launch an attack on the application. Displaying the type of language the application is written in, the database type, the web server operating system gives too much information to a would be attacker to compromise the application.
Hardcoded Credentials Used
Hardcoded credentials to a production database are really the keys to sensitive intellectual property or customer data. Anyone that has access to hard coded credentials has access to the database.
Insecure
<configuration>
<system.Web>
<password = rootpassword >
Secure
<configuration>
<system.Web>
<authentication mode="Forms">
<forms>
</forms>
So hopefully you have a better understanding of java and .NET security. A few configuration issues fixed in the web.config can make your application secure and better protect it from hackers.
Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com
parsonsisconsulting 