Articles tagged with: Security

Some of my friends say I'm mad because I usually have a different password for each website, service or system I register into. And while I understand that it is not easy, having at least different passwords for important sites, normal sites and crappy sites (the more levels the better). But even if you have a few "shared" passwords, there are some rules that for me are pretty basic and critical to ensure security of your "online accounts".

• The first and in my point of view most dangerous problem, is having one shared password for everything: email accounts, online shopping, websites, forums... Sadly, we live in a world so full of badly secured websites, faulty software and in general scarce security measures, so the chances of our password being either stolen or at least read increment with each site/service we register into.
  Never use only one password for everything.
• The second (as I said, IMHO) its choosing a predictable password. Apart from having this lists and brute-forcing dictionaries, If I were bad and tried to hack into someone's Messenger account, I would try from guessing the secret answer to trying birthdays, girlfriend anniversary date, things that the other person likes,...
  Never use a common word or anything related to your personal life that others might guess or predict.
• And the third one is not taking advantage of the allowed charsets and choosing a weak password. If the password is case-sensitive, use both types of letters. If you can use slashes, underscores or other symbols, add them! The difference between an alphanumeric only brute-force dictionary attack and a full ASCII one is huge (and imagine with UNICODE or similars!), the harder you make it for hypotetical attackers, the better.
  Use all available character types and symbols when creating a password.

I use a password safe software to store all the different website passwords. My recommendation is to check in detail what encryption algorithms it implements, how portable it is (USB drive/portable version, PDA/phone readonly version to check passwords wherever you are...), and of course, setup a really hard and strong password on the safe! Mine is around 30 characters long, including all kind of characters. Remember that it will store everything so has to be the hardest password to crack!
It should have too a lockdown timer, so if you forget to close it, auto-shutsdown in X minutes.

The weakest point in the security chain is always the human factor, so try to harden it!

2009-11-15

Time for another review, PasswordsPro. PasswordsPro is a "passwords safe" tool, similar to another application I use, Flexwallet/eWallet. It allows storing sensitive passwords (like website or email account ones) in an encrypted file.

The interface is very simple: We choose a passwords file, enter it's master password, and then manage the list of passwords and secure notes (more on this later). There is no categorization so with a huge list of passwords it might get a bit messy, but nothing we can't control by adding more info to the names.

The info for each password is the typical as we can see in the screenshot just above. There's no type/scope options, but we can store notes for each individual password (and so, use this as a manual "custom fields" section).

Apart from passwords, we can store "secure notes" too.

As the name hints, they are just a list of text notes. Simple, but not available on other password safe programs, and interesting to not only store passwords but sensitive info.

Apart from this features, PasswordsPro supports inactivity protection, another usual feature that allows to auto-close the application after not being used for a given time (so you don't have to worry leaving opened your safe lists).

And the last nice feature, the application supports being used as a portable app from a usb disk, just copying the .exe, a .dll and your license file.

My only real complaint about this application is that I haven't found any details of what encryption algorithms are used, just "PasswordsPro uses encryption algorithms that are standard in the industry having a strong level of security".

2009-05-31

IT's been a long time since my last security-related post, but from time to time I'm assigned small tasks related to it. Last one, just finished today, was doing some research and proof of concepts about ISAPI filters for a spanish company, to harden their servers and protect them from XSS and SQL Injection.

One of my colleages and I did some research and found some filters, both free and commercial (and some a bit outdated). After trying one commercial, it proved crap. It couldn't even capture right way the parameters (was taking the URI instead of full URL, so querystring was ignored, to give one of multiple examples). We grew desperate and started searching for more filters like Mod_rewrite in Apache.

That was, until we came across Ionic's Isapi Rewrite Filter (IIRF), an opensource ISAPI filter written in Visual C++, which uses Perl-compatible regular expressions to define the rules and conditions for rewriting (or redirecting) URLs.

The installation is simple, so I won't go deep on it (read the included readme.txt, it is just adding a new ISAPI filter to IIS pointing to the filter's DLL file).

Interesting stuff comes after that, configuring the IsapiRewrite4.ini, which holds all the regular expressions (rules) for matching and replacing.

They are used much like the mentioned before Mod_rewrite, allowing for quite interesting stuff. Here are a few simple examples:

RewriteRule (.*)(<|%3c)(script|%73%63%72%69%70%74)(>|%3e)(.*) /incorrecturl.aspx [I,L]
This rule blocks all <script> tags (either normal or URL-encoded), ignoring case ([I] modifier)

RewriteRule (.*)%00(.*) $1$2 [I]
This rule avoids nulls, used for example to avoid detection of tags, for example: javas%00cript:
Note: Here the [L] modifier is omited to allow multiple replacements (if placed it would only remove the first null found)

RewriteRule (.*)eval(\(|%28)(.*) /incorrecturl.aspx [I,L]
Same as the first one, this time with the "eval(" javascript function start.

This are just but a few rules, for a (quite large) list of common and not so common XSS attacks, you can check any XSS cheat-sheet.

2008-05-27

Today a small post that I had in mind since some time... a quick-list of how to fortify against SQL Injection (and some more general best practices).

• You can do some javascript, client-side validations to avoid postbacks, but rembember: never, ever trust client-side code and data.
• Check all input data before sending it to your application logic. Parse integer data types into actual integers and validate data with the expected formats.
• Server.HtmlEncode() and Server.HtmlDecode() are vital in web applications, do not forget them.
• You can use a black-list approach for eliminating or escaping undesired characters, but I prefer a white-list approach: regular expressions are cool and not so difficult, use them and if username can only contain letters and numbers, do not allow anything else in.
• Using custom entities, business objects or similar object oriented approaches helps avoiding injections. If you missed validating the new user page age field, when creating a new user entity it's integer age property will throw an exception.
• Never, ever build querystrings without at least using CommandParameters... Stored procedures are fast and more secure, but if you don't want to (or can't) use them, CommandParameters are strong-typed and will avoid injections too.
• Do not use the SA/admin accout from your code! Create a new user, map it only to the application's database, and give him only the specific, minimum rights. Few applications need DROP statements. And if you need to, maybe having two users is the solution (one just for delicate operations and the other for normal SELECT,UPDATE...).
• Just in case everything else fails... use Logs! Log every important operation, every non-trivial method call, every exception... Each day I rely more on logs and less on just debugging to watch for errors or undesired behaviors, because you don't always have the option to debug ;)

I think I'm not letting anything out... but if it happens, I'll update the post. Comments will be appreciated ;)

2007-11-06

My dog woke me up a bit early so nothing better than a few security articles and slides to start the day. This is what I'm reading right now:

- The Silverlight security model (Parts I, II and III)

- MS Access SQL Injection Cheat Sheet

- LDAP & Blind LDAP Injection (in spanish)

- XPath Injection, Brute Forcing & cracking paper (in spanish)

- And an extra non-security one: Revisiting Programming Fonts

2007-10-06