parsonsisconsulting

Parsons Software Security Consulting Blog

Posts Tagged ‘software security

IDA pro book review

leave a comment »

IDA pro book review

 

Book Title:  The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler”

 

Author: Chris Eagle

 

Publisher: No Starch Press

 

 

Publication Year:  2008

 

 

ISBN-10: 1-59327-178-6

 

 

Number of Chapters: 26

 

 

Number of Pages:  615

 

 

Book Price:  $69.95

Rate Content: Very good

 

 

 The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” is probably the best book on disassembling and reverse engineering.   Chris Eagle, the author, lives and breaths reverse engineering.  This tool discusses the techniques for reverse engineering but uses the tool IDA pro as an example.

 

 IDA pro is the world’s most popular disassembler and allows users’ to reverse engineer binary and executable files without access to the source code. 

 

I purchased the tool last year for around 600 dollars US.   I have been using Eagle’s book as both an in depth reference guide and a step-by-step manual.  I have mastered most areas in Internet Security but have not quite grasped reverse engineering.  Eagle explains very complex computer algorithms in an easy to understand way without insulting the reader’s intelligence.  

 

Reverse engineering is a bleeding edge technology and the author keeps on updating the book with new advances in the reverse engineering space.   The book that I read was the 2008 edition but there is also a 2011 edition with more up to date information.  

 

For the beginner in reverse engineering, the author explains disassembly and reverse engineering in the first few chapters allowing and even telling more advanced user’s to skip these chapters.  

 

The IDA Pro Book, “The Unofficial Guide to the World’s most popular disassembler” gives a very good high level overview of reverse engineering by having a getting started section and lot’s of excellent high resolution pictures to help explain the topics.

 

It is also very helpful that Eagle has actual screen shots from IDA pro and a website with exercises on it to help the user learn in a more interactive way.   http://www.idabook.com/ 

 

 

 

            The website even includes the Conficker virus for user’s to review actual exploit code.  Reverse engineering is important when corporations want to analyze the what and how viruses work.  

 

            I think the real golden nuggets in this book, is Part III Advanced IDA Usage.   This allows the user’s to customize their version of IDA with configuration files.  

 

            The book also explains some very technical details on library recognition and FLIRT signatures, extending IDA’s Knowledge, Patching binaries and other IDA Limitations, scripting with IDA, The IDA software development kit, the IDA Plug-in architecture, binary files and IDA loader modules, IDA processor Modules, compiler variations, Obfuscated code analysis, vulnerability analysis, debugging and other operating systems that you can use IDA pro on. 

 

            I personally purchased IDA pro for my Mac Book pro.   If I didn’t have this book I would be completely lost on how to use IDA pro effectively.  The actual help inside of IDA is sparse and this bridges the gap and allows the user to become a beginner to expert with a lot of blood sweat and tears saved.  

 

            My only real recommendation before buying this book is to make sure that you are serious about reverse engineering and have invested the 600 dollars into the full version of the tool.  That is the only way you will get the full value of the book.  IDA offers a free version of the tool but you will only scratch the surface of reverse engineering if that is the only copy of IDA you have.  

 

            In short this is the Bible of reverse engineering and Eagle is the expert on the domain.  If you want the best and have the time to put into it I recommend you buy IDA and the book.  

 

 

 

 

 

Matt Parsons, CISSP, MSM mparsons@parsonsiconsulting.com 

 

Written by mparsons1980

February 12, 2014 at 3:20 pm

Java and .NET security

leave a comment »

Java Security

http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html

Java has many built in security features that developers of your organization need to use.   It is best not to build your own cryptography methods but use well established classes that have been tested and verified.

Java is has many built in security mechanisms that other languages do not including the following:

1.     Strong data typing

2.     Automatic memory management

3.     Bytecode verification

Cryptography

·       Comprehensive API with support for a wide range of cryptographic services including digital signatures, message digests, ciphers (symmetric, asymmetric, stream & block), message authentication codes, key generators and key factories

·       Support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.

Authentication and Access Control

·       Abstract authentication APIs that can incorporate a wide range of login mechanisms through a pluggable architecture

·       A comprehensive policy and permissions API that allows the developer to create and administer applications requiring fine-grained access to security-sensitive resources.

 

Secure Communications

APIs and implementations for the following standards-based secure communications protocols: Transport Layer Security (TLS), Secure Sockets Layer (SSL), Kerberos (accessible through GSS-API), and the Simple Authentication and Security Layer (SASL). Full support for HTTPS over SSL/TLS is also included.

Public Key Infrastructure

Tools for managing keys and certificates and comprehensive, abstract APIs with support for the following features and algorithms:

·       Certificates and Certificate Revocation Lists (CRLs): X.509

Certification Path Validators and Builders: PKIX (RFC

·       Certificates and Certificate Revocation Lists (CRLs): X.509

·       Certification Path Validators and Builders: PKIX (RFC 3280), On-line Certificate Status Protocol (OCSP)

·       KeyStores: PKCS#11, PKCS#12

Certificate Stores (Repositories): LDAP, java.util.Collection

http://docs.oracle.com/javase/6/docs/api/java/security/SecureRandom.html

java.security
Class SecureRandom

java.lang.Object   java.util.Random       java.security.SecureRandom 

All Implemented Interfaces:

Serializable


public class SecureRandom
extends Random

This class provides a cryptographically strong random number generator (RNG).

A cryptographically strong random number minimally complies with the statistical random number generator tests specified in FIPS 140-2, Security Requirements for Cryptographic Modules, section 4.9.1. Additionally, SecureRandom must produce non-deterministic output. Therefore any seed material passed to a SecureRandom object must be unpredictable, and all SecureRandom output sequences must be cryptographically strong, as described in RFC 1750: Randomness Recommendations for Security.

A caller obtains a SecureRandom instance via the no-argument constructor or one of the getInstance methods:

      SecureRandom random = new SecureRandom();  

Many SecureRandom implementations are in the form of a pseudo-random number generator (PRNG), which means they use a deterministic algorithm to produce a pseudo-random sequence from a true random seed. Other implementations may produce true random numbers, and yet others may use a combination of both techniques.

Typical callers of SecureRandom invoke the following methods to retrieve random bytes:

      SecureRandom random = new SecureRandom();       byte bytes[] = new byte[20];       random.nextBytes(bytes);  

Callers may also invoke the generateSeed method to generate a given number of seed bytes (to seed other random number generators, for example):

      byte seed[] = random.generateSeed(20);  

https://www.owasp.org/index.php/Insecure_Configuration_Management

http://www.troyhunt.com/2012/04/67-of-aspnet-websites-have-serious.html

 https://netbeans.org/kb/docs/javaee/secure-ejb.html

.NET security

            For the .NET portion of the article most of the security vulnerabilities come from insecure configuration management in the web.config file.

The below setting is insecure.  

<configuration>
   <system.Web>
      <customErrors mode="Off">

This one is secure.  

<configuration>  
 <system.Web>
      <customErrors mode="RemoteOnly">

It is a good idea to have a custom error page that states there was a problem please try again and have the user use the back button on the users browser.

Cookies Accessible Through Client-Side Script
In Internet Explorer 6.0, Microsoft introduced a new cookie property called HttpOnly. While you can set the property programmatically, you can set it generically in the site configuration.

Vulnerable

<configuration>
   <system.Web>
      <httpCookies httpOnlyCookies="false">

Secure

<configuration>
   <system.Web>
      <httpCookies httpOnlyCookies="true">

Custom Errors Disabled
When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14’

([Microsoft][ODBC Microsoft Access Driver] Extra )

In query expression ‘UserID=’’’ AND Password =‘’

/_tblemployees/login3.asp, line 49

Vulnerable

<configuration>
   <system.Web>
      <customErrors mode="Off">

Secure

<configuration>  
 <system.Web>
      <customErrors mode="RemoteOnly">

Having the detailed error message to the user or attacker could give an attacker information leakage about the system to launch an attack on the application.  Displaying the type of language the application is written in, the database type, the web server operating system gives too much information to a would be attacker to compromise the application.   

 Hardcoded Credentials Used

Hardcoded credentials to a production database are really the keys to sensitive intellectual property or customer data.   Anyone that has access to hard coded credentials has access to the database.  

Insecure

<configuration>
   <system.Web>
      <password = rootpassword >

Secure

<configuration>
   <system.Web>
      <authentication mode="Forms">
         <forms>
         </forms>

 So hopefully you have a better understanding of java and .NET security.  A few configuration issues fixed in the web.config can make your application secure and better protect it from hackers.

Matt Parsons, CISSP, MSM

mparsons@parsonsisconsulting.com

Written by mparsons1980

February 7, 2014 at 8:33 pm

The secret to the CSSLP roles a CSSLP plays in an organization

leave a comment »

So you want to be a CSSLP.   Why is it important to become one and what will you learn?  Who are the stake holders in the organization?  

Roles a CSSLP plays within his/ her organization

  • Provides a holistic approach to software security needs
  • Gives advice regarding designing, developing and deploying secure software
  • Maintains knowledge on the latest software security technologies
  • Assists in meeting the assurance of compliance to regulations
  • Affirms compliance to the policy and procedures set

Image

Image

 

 

Image

 

 

Matt Parsons, CISSP, MSM

mparsons@parsonsisconsulting.com

 

 

 

https://www.isc2.org/uploadedFiles/Landing_Pages/Version_1/CSSLP-Prof-Web.pdf

Written by mparsons1980

January 8, 2014 at 5:37 pm

CSSLP the beginning: What is secure software development?

leave a comment »

Image

 

So lets talk about what we are trying to accomplish becoming a CSSLP.   In order to be a CSSLP you need to understand the basic concepts of software security.  

 

 

 

  • Confidentiality– keeping data private that is sensitive.
  • Authentication– verifying the entity that they are who they say they are.
  • Session management– HTTP is a stateless protocol and this is usually managed by cookies.  States or session are sensitive.
  • Integrity-  making sure the books stay straight and that data is not modified
  • Authorization-  the entity has the clearance to do what he or she is supposed to do no more or no less.  This also ties with the principle of least privilege.
  • Exceptions management– that the software systems handles errors properly and maintains a fail safe secure state.
  • Availability  that the software system is up and running when it needs to, to support the business. 
  • Auditing– the who, what, where and when questions to an activity. 
  • Configuration management– making sure that that vulnerabilities are not introduced to software systems when making changes. 

 

 http://www.isc2.org

Matt Parsons, CISSP, MSM

 

 

 

mparsons@parsonsisconsulting.com

 

 

 

 

 

Written by mparsons1980

January 7, 2014 at 11:40 pm

The secret to the CSSLP the beginning of the journey

leave a comment »

I am studying to become a CSSLP.  I have had my CISSP for a number of years and have been a programmer and ethical hacker for ten years.  I have my master’s degree in information security and management science and a bachelor’s degree in information science and human computer interaction.  I work for a very large security company.   I am taking the exam too and wanted to share my knowledge of studying for it with the blogsphere.    

The CSSLP examination tests the breadth and depth of a candidate’s knowledge by focusing on the seven domains which comprise the CSSLP, taxonomy of information security topics:

  • Secure Software Concepts – security implications in software development and for software supply chain integrity
  • Secure Software Requirements – capturing security requirements in the requirements gathering phase
  • Secure Software Design – translating security requirements into application design elements Secure Software Implementation/Coding – unit testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
  • Secure Software Testing – integrated QA testing for security functionality and resiliency to attack
  • Software Acceptance – security implication in the software acceptance phase
  • Software Deployment, Operations, Maintenance and Disposal – security issues around steady state operations and management of software

CSSLP stakeholders include:

  •    Auditors
  •    Top Management
  •    Business Unit Heads
  •    IT Manager
  •    Security Specialists
  •    Application Owners
  •    Developers & Coders
  •     Project Managers Team Leads
  •    Technical Archietects
  •    Quality Assurance Managers
  •    Business Analysts
  •    Industry Group Delivery Heads
  •    Client Side PM

https://www.isc2.org

Thanks Matt Parsons, CISSP, MSM
mparsons@parsonsisconsulting.com

Apple hacked!! Ethical hackers personal information hacked at Apple

leave a comment »

My fiancé was trying to download a movie today from iTunes when the security certificate was marked as invalid.  My first thought was did Apple get hacked?   She was trying to download the Jackie Robinson movie, 42.   I didn’t think anything of it and went back to my normal Sunday evening routine.   I was outside playing with our dogs in the yard when my iPhone alerted me of a new message.  

The message I received was the following.  
Image

I then did a little research and found out that Apple was indeed hacked and they were doing major over runs for maintenance.   Part of the problem is that first and foremost I am a an application security engineer and apple developer second.  I have been programming for 15 years and doing application security for 11 of those years.  I have been an apple developer for two years learning cocoa daily to one day strike it rich on an apple development idea. 

I was then thinking.   Apple has all of my sensitive information.   They have my social security number, my credit card, my name and address and my bank account number to deposit my application sales at least 60 percent of it to my bank account while apple profits 40 percent.  

I was thinking that man;  I am an ethical hacker and I got hacked.   It was not a good feeling.  It was a similar feeling when I found out my veteran’s information was hacked and they enrolled me in credit monitoring.  

I felt like a victim.   My career goal in life is to make more applications more secure.   I actually interviewed a few times with the apple development team and they told me I was not smart enough.   I do know this; if I was working with Apple, I would have been smart enough to encrypt all sensitive information.   I would have ensured that the confidentiality, integrity and availability of the application was met.  

I am not sure how this attacked happened but I am guessing from a web application vulnerability.   I believe if Apple hired a competent 3rd party unbiased application security engineer this would not have happened.   Attackers use the same tools and techniques that application security professionals do.   A thorough penetration test and a secure application review could have prevented this.  I pray for other consumers sake and companies that more companies take application security more seriously and reach out to non profit organizations like the open web application security project by training developers and hiring ethical third party security engineers to do software reviews to ensure the confidentiality, integrity and availability of data in systems and putting the proper security controls in place to prevent this from happening in the future.  

 

 

I hope that the most successful company getting hacked is a wake up call.   We need to train developers to program applications more securely and value the competent ethical third party application security engineers that review these applications.  

 

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

 

 

http://allthingsd.com/20130721/apple-developer-center-was-hacked-site-remains-down-while-company-overhauls-security/

http://www.businessinsider.com/apple-developers-site-hacked-2013-7

OWASP top 10 2013 Introduction

leave a comment »

OWASP top 10 2013

https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents

   * A1-Injection

   * A2-Broken Authentication and Session Management

   * A3-Cross-Site Scripting (XSS)

   * A4-Insecure Direct Object References

   * A5-Security Misconfiguration

   * A6-Sensitive Data Exposure

   * A7-Missing Function Level Access Control

   * A8-Cross-Site Request Forgery (CSRF)

   * A9-Using Components with Known Vulnerabilities

   * A10-Unvalidated Redirects and Forwards

We are going to look at the new OWASP top 10 for 2013 starting with injection to unvalidated redirects and forwards.   We will go through each vulnerability and look at the attack vector, risks, how to exploit and how to remediate to protect an application from attackers. 

Thanks,

Matt Parsons, CISSP, MSM, CWASE

mparsons@parsonsisconsulting.com

Written by mparsons1980

June 27, 2013 at 12:26 pm