Am I protected from buffer overflows vulnerabilities by coding on platforms like .NET?

A very interesting question appeared this month appeared on the technical mailing list Vice of well-known eEye security vendor:

[In reference to your Q&A from last issue defining buffer overflows] I sent out your articles to our web application developers, and they are using Macromedia ColdFusion 8 and .NET 2003. They responded with the answer below saying they are not affected by memory overflow. Any comment on what's been said?

"Since the CLR for .NET and the JVM for ColdFusion manage memory independently from the operating system we can not cause serious memory problems to the point of crashing the servers. Certainly the risk of outsiders doing this exists but no-one needs to worry about me writing a poorly coded application causing memory leaks. Unless we start coding in C/C++, we are safe from this."

eEye security specialists anwered the question in this way:

There are two major points to address: First, if you can do low-level work, you can most likely create memory access problems. Second, the system that processes your code could itself have problems -- you should never make assumptions that the problem is completely taken care of by someone else.

It is okay to say, "I work in a very safe environment, and it is very unlikely that I will have any memory access problems", but thinking that you will not ever have memory access problems could keep you from ever learning and understanding the potential problems.

There are also potentially countless security bugs not related to memory access in these products, and these can be even harder to find and test for than the memory access problems. Understanding secure coding from all angles will be the key factor for developing secure applications.

I asked Marco Russo, a well-known .NET and Business Intelligence expert, to further comment this topic:

While any platform could have bugs and security vulnerability (at the end, even a microprocessor could have a buggy behaviour for a particular instruction), .NET offers a relatively high security bar agains memory overflow problems if you strictly follow some rules: write 100% managed code, use only managed libraries, don't use legacy components (native-code DLLs and COM objects).

The pitfall is that the current .NET Framework is based upon a legacy platform and use a lot of legacy components (DLLs and COM objects) that could have wrong behaviours if a new vulnerability is discovered.

There are a lot of controls made by interoperability services of .NET Framework to reduce exposed area (like parameters validation), but there can't be a 100% secure way to validate any parameters while we can't assure that a vulnerability exists for a given combination of valid parameters.

That said, I think that writing managed code is a safer way to write software than writing unmanaged code. You can leverage on a lot of services that catch more common problems in your code. I don't like positions that can promote the idea that "writing all the code by yourself without relying on existing platforms/libraries is better".
The real message should be that security is a complex matter and you have to be aware of features and pontential weakness of tools you use writing code.

Security professionals salaries report

The SANS Institute just published the 2005 Information Security Salary & Career Advancement Survey.

It considers salaries of 4250 volunteer security professionals from U.S., U.K. and other worldwide countries:

• U.S. pays more (I should consider this for my next job...)


• Well-paid security professionals have one or more security certifications (this doesn't imply that having a certification means a better salary)


• Well-paid security professionals usually have CISA, CISM (from ISACA) or CISSP, SSCP (from ISC2) certifications

and more numbers to check and evaluate.


Thanks to Bruce Schneier for the news.

Hacking Layer 2

The most difficult part in hacking a well protected corporate network is bypassing switches.
Switches connect every LAN machine and savvy administrators have a lot of ways to protect network segments, from VLANs to port security, up to the new endpoint security authentication features vendors are offering today.

The well-known ARP poisoning attack isn't good in every condition and anyway it creates a lot of network overhead. But strangely is the only attack widely supported by common penetration tools.
Others, more dangerous and powerful layer 2 attacks are barely discussed IT security topics, and until last year there were virtually no tools to support them.

Today we have the great Yersinia tool, providing attacks to Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and many more.
As far as I know Yersinia is the only tool available today covering a whole range of layer 2 attacks, so no surprise to see it embedded in every major penetration testing suite.

If you are weak on these kind of attacks you better read the good Guillermo Mario Marro Master of Scienze thesis: Attacks at the Data Link Layer.
Then, if you work with Cisco equipment, be sure to check this whitepaper about layer 2 attacks mitigation: SAFE Layer 2 Security In-depth Version 2.

Microsoft WSUS now updates ISA Server 2004 and Windows Defender

As expected Windows Server Updates Services (WSUS) is expanding its updating capabilities.

After adding support for SQL Server and Exchange, today it offers updates even for ISA Server 2004 and Windows Defender (formerly Microsoft AntiSpyware, now in beta within Microsoft Vista):


At the same time a new updates classification, called Definition Updates, appeared:


This last feature will deliver antimalware (antispam, antivirus, antispyware, antirootkit, etc.) updates for all desktop security tools to come.

About ISA Server 2004 updates: it's a good thing to centrally manage updates even on security products, but I strongly discourage to directly update a critical server like a firewall with automatic tools like WSUS.

As I repeated many times, applying patches to production servers should be done only after a long test period. And in case of front-end firewall it should not be possible at all contacting a WSUS.
In the firewall case better use the new Updates CD Microsoft is offering since this month.

Hacking credit cards

Many credit cards (and other magnetic cards) owners know that cloning their card is possible. Fewer experimented this bad experience.
But just a small bunch of them know how simple it really is.

SploitCast published a very interesting podcast about magnetic cards emulation you should listen.

And if you are really interested on this topic you should also check the Stripe Snoop project, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripe cards.
Be sure to check the videos.

Hardening Windows Server 2003 platforms

I wrote an introductory article about hardening Windows 2003 Service Pack 1 platforms with Security Configuration Wizard (SCW).

If you are already familiar with Bastille for Red Hat Linux or JASS for Sun Solaris you could find it interesting for a basic features comparison.

It's just published in the (IN)SECURE Magazine #5, available for free here.


BTW Microsoft just published extensive documentation on SCW: download it here.

Review: Configuring Check Point NGX VPN-1/Firewall-1 - Syngress

Configuring Check Point NGX VPN-1/Firewall-1 is written by many respected authors and security professionals. Among them there is Barry J. Stiefel, the man who founded the first Check Point User Group.

I'm a Check Point Certified Instructor (CCSI) and can assure this book covers a lot of topics included in official Check Point VPN-1 NGX coursewares.

On Chapter 13 about Check Point VPN clients solutions it includes a Integrity technology discussion, acquired from ZoneLabs and to be merged with SecureClient.

On Chapter 14 it also includes a lot of details from the official Check Point SecurePlatform courseware.

The last chapter, Chapter 16 about VoIP, is even better than on the official course manual.

The book misses more details on some covered product features, coverage of some excluded features, OPSEC 3rd party interoperability examples, architectural problems discussion (like logging strategy, rulebase optimization, etc.), but it's a good book.

I strongly recommend it to anyone didn't take the course and want to have a wide coverage of many VPN-1 NGX features.
Who already attended the official course won't find here anything new.

Check it here.

Expect ISA Server 2004 SP2 next week, ISA Server 2006 this summer

As Steven Bink reported today ISA Server 2004 Service Pack 2 is going to be released next week.

ISA Server 2006, codename Wolverine, entering in beta phase from March, is expected for July/August.

How to create a self-signed SSL certificate

If you often work with SSL enabled applications in test environments you need a simple way to obtain a test digital certificate.

If you are in a Windows enviroment a good way to have a self-signed SSL certificate is to install the free SelfSSL tool included in the Microsoft IIS 6.0 Resource Kit.

Jonathan Maltz created a nice step-by-step to achieve this goal.

If you are in a Linux or Solaris environment you can follow this comprensive configuration page.

The WMF saga

Once upon a time, 27th December 2005, a pestilent bug in the graphical rendering engine (gdi32.dll) started to put at risk every Windows box on the planet. And even Linux ones which used to work with WINE emulation package.

To gain momentum the well-known security expert H D Moore developed an early exploit for its well-known (and much appreciated) open source penetration test plaform: Metasploit.
At the same time, to gain momentum, the well-known developer Ilfak Guilfanov, author of its well-known (and much appreciated) binary disassembler, IDA Pro, developed an unofficial patch.
At the same time Microsoft started developing and testing its own official patch which was planned for release 15 days later.

Immediately after the SANS, the well-known (and much appreciated) organization for security awareness, for the first time in its whole story, released a vulnerability FAQ urging people to go and use the unofficial patch.
Immediately after Microsoft released a webcast to deprecate the unofficial patch use, warn of eventual compatibility issues (which arrived) and defend its position adducing testing an official patch against every Windows variant takes a lot of time.
Immediately after, to gain momentum, ESET, the well-known (and much appreciated) organization developing NOD32 antivirus, released a second unofficial patch.
Immediately after Microsoft inadvertently leaked an unofficial pre-release patch, which was adviced as unstable and untested and therefore not worthy for installation.

5 days before the planned date (and 10 days since the vulnerability discovery) Microsoft released the official patch.
At the same time 2 SecuriTeam bloggers, the well-known (and much appreciated) security portal, disassembled the official patch and compared it against the Guilfanov unofficial one, resulting in identical solutions.
At the same time legacy Windows and Linux users discovered they wouldn't be safe at all cause Microsoft released no patch for them.

Immediately after 2 new WMF vulnerability variants were disclosed, affecting just IE 5.0 on Microsoft Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium.
Immediately after Microsoft minimized impact of these new flaws.
Immediately after, to gain momentum, the well-known (and much appreciated) developer and security expert Steve Gibson claimed original WMF vulnerability to be a Microsoft backdoor to reach worldwide Windows computers.
Immediately after Microsoft security program manager Stephen Toulouse answered the claim denying the imputed intentions.
Immediately after a Linux News member started asking everybody why this happened when Microsoft reports to spend $10-$50 million dollars in security.
Immediately after, to gain momentum, the well-knonw (and much appreciated) content filtering company called Websense reversed the WMF exploit code (also available in PDF for maximum exposure).
Immediately after, without any need to gain momentum, the well-known (and much appreciated) Windows development expert Mark Russinovich claimed Steve Gibson's Microsoft backdoor assumption was totally wrong.
Immediately after Steve Gibson released a second podcast, trying to limit damages, launching a new utility for founding WMF vulnerability.

38 days after the first public announcement of the WMF bug and 29 days after the official Microsoft patch, a Kaspersky Lab senior virus anaylist, revealed the exploit code was being sold by russian hackers on underground sites (I already talked of these kind of places in another post) for $4000, and it's even probably that the vulnerability was first discovered on 1st December 2005.

Quite a month since the two minor WMF vulnerabilities, and after releasing workarounds to avoid 0day attacks, Microsoft releases a patch.

Immediately after, 52 days since the first public annoncement of the WMF bug, the first worm (a mass mailer phishing trojan) hits the Net starting from Australia.


At the end of the story you find in bolded text companies, organizations and individuals who played a role in this fascinating story.
Someone increased visibility (not always in the most ethical way), someone lost credibility, someone else confirmed that sometimes a single, trusted expert's analysis is worth much more than hundreds of official bulletins...

To be continued?

Updating Microsoft WSUS in DMZs

As I said previous times Microsoft WSUS is probably the best security tool Microsoft made until today.

Thanks to it you can safety update Windows servers deployed in DMZs without allowing them to reach the Internet as web clients.
This is particularly important for two reasons:

• in case someone can hijack Windows Updates sites your servers are eventually taken


• if you authorize servers to run HTTP requests outside, you won't probabily notice an hacking on them when the attacker used an HTTP reverse shell to remotely control your machine

So having a dedicated WSUS in the DMZ is a good thing. But how can we protect that WSUS from being attacked?

Once upon a time Microsoft sent SUS updating CDs to customers for free. Then one day this opportunity simply disappeared from the site. I guess sending physical CDs for free was a bit unpratical...

Today Microsoft goes back that way but offers monthly ISO images of SUS/WSUS updating CDs. This is even better!
So you can download them at will without delivery risks, and eventually map them on virtual machines without burninng, if you works with virtual datacenters.

Obviouly the monthly CD can also be used to update single Windows boxes, without restrictions.

You can download it here.

Novell launched an open source intrusion prevention system for Linux

Quoting from Linux-Watch:

On Tuesday, Novell announced the creation of the AppArmor project, a new GPL open-source project dedicated to advancing Linux application security.

Novell Inc.'s AppArmor is an intrusion-prevention system that protects Linux and its applications from the effects of attacks, viruses and malicious applications.

AppArmor is based on technology that Novell acquired from Immunix, a leading provider of Linux host-based application security solutions for Linux, when it purchased the company in May 2005.

AppArmor works by "application containment." In this approach, the interactions between applications and users are monitored for possible security violations...

Read the whole article at source.

Do you remember Fluffy Bunny?

I dunno why I summoned up the Fluffy Bunny pink rabbit image running on SecurityFocus top banner, and found myself asking: Where Fluffy Bunny was during the WMF bug?

A small search on Google revealed this Wired News article.
I totally missed the news at that time.

4 years already passed...???

Microsoft ISA Server development team started blogging

As I reported on the last days of 2005, ISA Server 2006, codename Wolverine, is coming.
Steven Bink reported the beta will start soon (this is true, I can confirm) and will be open (as Microsoft is doing in the last period with security products, like WSUS, MBSA 2.0 or Data Protection Manager 2006).

If the beta is going to be public it's not that strange the ISA Server development team just started a new blog.

Microsoft Threats and Countermeasures Guide 2.0

Immediately after releasing Windows Server 2003 Security Guide 2.0, Microsoft updated this guide also:

The Threats and Countermeasures guide provides you with a reference to all security settings that provide countermeasures for specific threats against current versions of the Microsoft Windows operating systems. Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases for any roles at all.

The chapters of this guide are structured in a way that approximates how the major sections of settings are displayed in the user interface of the Group Policy Object Editor. Each chapter begins with a brief explanation of what is in the chapter, followed by a list of subsection headers, each of which corresponds to a setting or group of settings. (These settings are listed in the Microsoft Excel workbook that is available in the downloadable version of this guide.) Each subsection provides a brief explanation of what the countermeasure does, and includes the following information:

• Vulnerability. How an attacker might exploit a feature's configuration.


• Countermeasure. Explains how to implement the countermeasure.


• Potential Impact. Explains the possible negative consequences of countermeasure implementation.

Thanks to Steven Bink for the news.

Microsoft Windows Server 2003 Security Guide 2.0

Microsoft released the second edition of the Windows Server 2003 Security Guide including Windows Server 2003 Service Pack 1:

The updated Windows Server 2003 Security Guide provides specific recommendations about how to harden computers that run Microsoft Windows Server 2003 with Service Pack 1 (SP1) in three distinct enterprise environments–one in which older operating systems such as Windows NT 4.0 and Windows 98 must be supported, one in which Windows 2000 is the earliest version of the Windows operating system in use, and one in which concern about security is so great that significant loss of client functionality and manageability is considered an acceptable tradeoff to achieve maximum security. These three environments are respectively referred to as the Legacy Client (LC), Enterprise Client (EC), and Specialized Security - Limited Functionality (SSLF) environments throughout this guide.

Guidance about how to harden computers in these three environments is provided for a group of distinct server roles. The countermeasures that are described and the tools that are provided assume that each server will have a single role. If you need to combine roles for some of the servers in your environment, you can customize the security templates that are included in the downloadable version of the guide to create the appropriate combination of services and security options. The server roles that are referenced in this guide include the following:

• Domain controllers that also provide DNS services


• Infrastructure servers that provide WINS and DHCP services


• File servers


• Print servers


• Internet Information Services (IIS) servers


• Internet Authentication Services (IAS) servers


• Certificate Services servers


• Bastion hosts

Thanks to Steven Bink for the news.

How to destroy passive RFID Tags for masses

We ended 2005 sniffing RFID traffic, we start 2006 destroying RFID tags.

RFID-Zapper is a nice research project to regain anonymity after your RFID-powered purchases.

Good to see this kind of stuff: I'm just awaiting Google to come up with an RFID free thing....


Thanks to Bruce Schneier for the news.

Snort analysis system in a box

Sguil is a wonderful real-time analysis console for Snort events written in TCL/TK.

Installing it the first time can be somewhat difficult so the well-known security expert Richard Bejtlich created a virtual machine for VMware Player with FreeBSD 6.0 and Sguil preinstalled.
The whole system is trimmed to offer a fully working Sguil architecture with Snort local sensor and Sguil collecting and analyzing server, event database and client, for the fastest startup you can find on the Net.


You can discover more about VMware Player and free Community Virtual Machines on my blog about virtualization: virtualization.info.

Microsoft awarded me as MVP

I just received a letter from Microsoft informing me I received an award as Most Valuable Professional.

Thank you!

After obtaining my CISSP certification, I'm particularly happy of this prize which demonstrates a security professional not necessarily has a love for Linux and the open source and a hate for Microsoft and closed source, as I always ear.

I always believed an IT professional, a security one in particular, should work hard to know both worlds before comparing and suggesting solutions from one of them, and impartially recognize what is good for what.

Cisco Networkers 2005 slides online

Slides form Cisco Networkers 2005 are available online here.

Under the Security track there are a lot of interesting sessions.
One is a must-read for Endpoint Security: Understanding and Deploying Network Admission Control.