Web Log of Aleksey Nudelman: Thoughts on Software Architecture

Analysis and Review of Microsoft Technologies for IT Managers, Architects and Developers

Thursday, December 23rd

Book Review: "Writing Secure Code" by Michael Howard and David LeBlanc


First 4 chapters cover Security basics: lots of useful suggestions, but nothing to lose your sleep over.
Chapter 5 has some very interesting stuff on how to cause a buffer overrun...

Having demonstrated this stack overrun exploit, the authors go on to show other buffer overrun exploits which are both entertaining and scary. The authors then go on to say that using buffer security checks option (/GS) when compiling with VS.NET prevents simple stack overruns, but does nothing to help with heap corruption or complex stack overruns.
Chapters 6 and 7 are about ACLs and SIDs.
In chapter 8, authors mount a strong argument against using rand() function in cryptographic applications. The authors feel that rand() has a short period and its numbers are fairly predictable. The authors recommendation is to call CryptGenRandom instead of calling rand(). Unfortunately, the authors fail to point out that CryptGenRandom is very significantly slower than rand() and therefore is not acceptable for most applcations. Authors do, however, show a "better" rand by Knuth. Since a typical cryptographic application makes billions of calls to a random number generator, a random number generator by Press, Teukolsky, Vetterling and Flannery ("Numerical recipies in C", Cambridge University Press 1997) is probably the best choice.
Chapter 9 is very good, there is wealth of information about storing secret data with LSA or DPAPI .Authors even spend some time discussing hiding secrets in RAM, compiler optimization effects on secrets and secrets in managed code. This is probably the best chapter in the book...
Review
aleksey on 12.23.04 @ 11:42 PM PST [link]


Sunday, December 19th

Run anti spam software at all times or you may get phished


I have received this interesting email with Smith Barney/Citi Group logo:

Dear Smith Barney customer,
The technical services of the Smith Barney are carrying out a planned software upgrade.
We earnestly ask you to visit the following link to start the procedure of confirmation of customer's data.

There are a few interesting things about this email:
1. The mail server (83.27.113.233) is in Polland and the phishing web server (195.239.79.166) is in Samara, Russia.
2. The email is written in broken English. The mail server is listed as a spam source with spamhaus.org
3. Phishing Server url 195.239.79.166 is masked by a JavaScript window that make it look like the server IP address is actually https://www.smithbarney.com/cgi-bin/login/confirm.cgi

Trace Route on the phishing server gives Samara, Russia

21 651 ms 260 ms 260 ms mks-gw.Samara.gldn.net [195.239.79.166]
22 391 ms 521 ms 370 ms TERMS [195.239.144.10]

Phishing web server (195.239.144.10 ) info:


inetnum: 195.239.144.0 - 195.239.144.15
netname: JFCSAMARA
descr: Samara JFC Ethernet segment
descr: connected by Sovam Teleport
country: RU
admin-c: SI135-RIPE
tech-c: SI135-RIPE
status: ASSIGNED PA
mnt-by: AS3216-MNT
changed: iga@sovam.com 20030707
source: RIPE

route: 195.239.0.0/16
descr: Sovam Teleport allocated block
origin: AS3216
notify: noc@sovam.com
mnt-by: AS3216-MNT
changed: iga@sovam.com 19971215
source: RIPE

person: Serg Ivanov
address: 24-1-159 , Koroliova str.
address: Russia, Saint-Petersburg
phone: +7 812 1086998
fax-no: +7 812 5425278
e-mail: isatec@jazz.spb.ru
nic-hdl: SI135-RIPE
notify: isatec@jazz.spb.ru
mnt-by: RADIO-MSU-MNT
changed: lavrov@radio-msu.net 19990914
source: RIPE


aleksey on 12.19.04 @ 08:32 PM PST [link]



  Home
  Archives
Phishing Inspector is  available

Copyright© 2006 Aleksey Nudelman