Friday, March 14, 2008

Ruby on Rails?

Ruby on Rails is an open source programming language that provides a code stage to quickly build database-driven web applications.
It includes five standard packages:
ActiveRecord, ActiveResource, ActionPack, ActiveSupport and ActionMailer that can be extended. The Rails framework, which provides the structure for the models and views needed for a basic website, is developed employing the Model-View-Controller (MVC) architecture.

There are two concepts in Ruby on Rails--Convention over Configuration (CoC) and Don't Repeat Yourself (DRY).
The principle behind COC is that only strange aspects of the application need to be specified; otherwise, they follow the established standard.
DRY requires that information be placed in a single, unambiguous location to ensure a single point of reference and avoid hidden errors.

The principles behind Ruby on Rails allow for huge development speed while minimizing lines of code and errors. It has the advantage of including a lot of web development know how from its inception, which makes it simple to use, maintain, and extend.

Ruby on Rails is now widely embraced as a great tool to rapidly build scalable, database-driven web applications.

Saturday, March 08, 2008

DNS Security Issues (Misconfigurations)

DNS fall with security issues in a relation to:

Service/traffic redirection:

DNS requests(traffic) to any site, could be redirected to an IP address of a malicious attacker’s site using man in the middle attack or any other type of attacks.
As a user, you should verify the authenticity through cryptographic signature hashes even with trusted sites.
Similarly, name servers with MX records can be modified to redirect
e-mail from one domain to another.



Denial of service:

Instead of redirecting records elsewhere, they can be redirected to 10.1.1.12
or any another address range that does not exist which may deny legitimate target from being reached.


Zone transfers:

Domain record exchanges such as updating information across name servers can reconfigure packet routing across a network.

Past versions of name servers had no security, and anyone with access to programs like nslookup and dig were capable of issuing them.

DNS zone transfers should only be allowed between DNS servers and clients that actually need it.
DNS master is only transmitting zone information to (and only to) the IP addresses of slave-1/2..etc DNS servers, slave should not transmit to anyone in most configurations.

Also protection with zone transfers can be obtained by implementing DNS keys and even encrypted DNS payloads.

Else than that Instead of limiting transfers purely based on IP address, sites can maintain cryptographic signatures or relies on public key cryptography as in DNS security extensions (DNSSEC)


Predictable query IDs:

A query ID is included within a packet to uniquely identify sessions, such a query within a request is a security issue that allows an attacker to poison domain name server caches with forged address resolution information, a way to reduce the breadth of this attack random query IDs is used.

Secure How-To: Not only

-Using complete physical separation of internal recursive queries and external public name service to prevent DNS cache poisoning.
-Also securing dns could be by redundancy and load balancing which in turn requires that networks house more than one DNS server.

Thursday, March 06, 2008

E-mail Risk ( Data vulnerabilities )

As a universally implemented protocol, email should be a target
for attacks and risk ; due to the very sensitive nature of the data or information that is transmitted.

E-mail at its core is safe because it does not transmit directly executable(binary) code.
But an e-mail client starts adding features to be more of a collaboration tool, such as Outlook which embed malcode that has chances of being decoded and launched.

An e-mail protocol like Post Office Protocol (POP), was used in the clear,
which means when a mail was received, it was transmitted with the POP3 protocol.
In such case, the entire e-mail fit into one packet and opportunity to capture packets and read e-mail content isn't off-topic.

Capturing and modifying of e-mail can be done either as a man-in-the-middle attack (using ARP spoofing tool, such as ettercap) or as a replay attack.

Man-in-the-middle attacks are best avoided by using encryption and digital signing of messages.

On the other hand, Spam DoS attacks are a result of spammers using false domains in the e-mails they send.
The most danger type of these attacks is when a spammer forges an address.

Spam attacks avoided by referencing a blacklist which is a database of known internet addresses (by domain names or IP addresses) used by spammers.
Blacklisted addresses return invalid responses so the server rejects the e-mail.


Proper e-mail authentication is also a security concern.

-Login authentication : user name and password passed separately encoded with base64.
The user name and password are then used to authenticate to the mail server.

- onPOP before SMTP : preventing spammers from using a mail server relay.
SMTP relaying is permitted by an IP address if that IP address has participated in a valid POP session in the prior X minutes.
The POP protocol requires a valid password so spammers will not be able to use POP prior to using the mail server for relaying.

A mail relay sits in the DMZ outside the perimeter firewall with a benefit having all mail received first by this mail relay which can check for unwanted scripts, viruses, and questionable attachments and also a good place to put spam protection, such as blacklist monitoring and spam filtering.

Securing e-mail traffic: discussed previously
Creating a secure tunnel for using less secure e-mail protocols can be a strong method of protecting the privacy and integrity of the e-mail.
With an SSH tunnel, we can still have the protection of the SSH encryption, in SMTP/POPing.

Later talking about SPF, DomainKeys ...etc

Wednesday, March 05, 2008

UNIX/Linux as a poor vulnerability target

UNIX has some characteristics that make it less attractive for security attacks

Unix is still primarily used on different platforms.
This use, make the average UNIX user more knowledgeable about the operating system and security.

There are many scripting techniques in UNIX.
Unlike Windows, the scripting is not integrated into applications (such as Outlook and Word).

In UNIX, scripts can be integrated into applications such as mail and word processing, but not to be _the default configuration_.

This makes UNIX much less vulnerable than a Windows system that is running Outlook and allows users to commonly run Visual Basic scripts.

Also the inability of a common user to alter an executable is a severe restriction on viruses and worms that depend on users to propagate their malware.

On the other hand in Unix, Physical Security is somehow perfectly controlled:
(monitoring hardware changes)
A software tool library like kudzu, detects and configures new and/or changed hardware on a RedHat Linux system and currently ported to different other distros.

What's notable that it detects the current hardware and checks it against a database stored in /etc/sysconfig/hwconf, which mean it can be an eye on system hardware monitoring any changes.

Another piece in Unix is its partitioning of disks and file systems which can be a physical security issue.

File systems, such as ext3 in Linux, use journaling to make the recovery of damaged file systems more reliable.

Journaling provides for a fast file system restart in the event of a system crash, using database techniques, journaling can restore a file system in a matter of minutes, or even seconds.

Not finished yet....