http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-04-07 05:06:46 - New RFCs : 33KB DOI http://www.secuobs.com/revue/news/603059.shtmlhttp://www.secuobs.com/revue/news/603059.shtml 2016-02-03 10:58:29 - Vigilance vulnérabilités publiques : Un attaquant peut insérer un jeton avec Drupal Token Insert Entity, afin d'obtenir des informations sensibles http://www.secuobs.com/revue/news/597213.shtmlhttp://www.secuobs.com/revue/news/597213.shtml 2016-01-12 19:51:25 - Minded Security Blog : In CakePHP we noticed that under certain circumstances is it possible to bypass the built-in security checks offered by CSRF and anti-tampering As stated in the official documentation By using the Security Component you automatically get CSRF and form tampering protection 1 , however this is not true in case a form controller does not check whether the request is a 'POST' or 'PUT' using this-request-is This because CSRF protection is only applied to specific methods eg POST and PUT HTTP Methods In Addition by leveraging the HTTP method overriding feature defined into the CakeRequest processPost method, is possible to overwrite the original request method with an arbitrary method chosen by the attacker The following one is the original proof of concept that we sent to the CakePHP team, were by abusing the method parameter is possible to specify and arbitrary method eg CSRF that is not checked against CSRF CSRF Bypass proof of Concept The vulnerability can be exploited by tricking a victim user currently logged into a vulnerable application into visiting a web page like this documentforms 0 submit This affects CakePHP 2x https githubcom cakephp cakephp blob 27 lib Cake Controller Component SecurityComponentphp L237 And similarly affects also CakePHP 3x https githubcom cakephp cakephp blob 32 src Controller Component SecurityComponentphp L118 https githubcom cakephp cakephp blob 32 src Controller Component CsrfComponentphp L95 Thanks to our feedback, developers of CakePHP have issued this patch https githubcom cakephp cakephp commit 0f818a23a876c01429196bf7623e1e94a50230f0 It's important to mention that this patch implemented by CakePHP team now allows only GET, HEAD, OPTIONS methods to be left unprotected indeed this is a partial fix Of course the previous proof of concept will no longer work , however with little modifications eg attackers will still have the job done Developers should check HTTP method carefully The official documentation has also been updated Now we see in here the written evidence that developers should properly check request HTTP methods before processing the request To not be vulnerable to trivial CSRF attacks be sure that your CakePHP application always checks HTTP methods, as now correctly stated in the updated documentation 2 The important note regarding the mandatory check is You should always verify the HTTP method being used before executing side-effects You should check the HTTP method or use Cake Network Request allowMethod to ensure the correct HTTP method is used References 1 http bookcakephporg 20 en core-libraries components security-componenthtml 2 http bookcakephporg 30 en controllers components csrfhtml Vulnerability Found and Reported by Egidio Romano http://www.secuobs.com/revue/news/595478.shtmlhttp://www.secuobs.com/revue/news/595478.shtml 2015-11-20 14:10:35 - Security Bloggers Network : In the previous blog post about PeopleSoft Security we looked at the TockenChpoken attack and PeopleSoft SSO Today we will go through all steps of exploitation of the attack which can help you during a PeopleSoft pentest It consists of 3 key steps Preparation Get an original ps_token 1 The TockenChpoken attack, by its nature, is a kind of privilege escalation attack Therefore, we as a penetration testers need a valid user credential to exploit it successfully There are several main ways how we can get it Check for default credentials Dictionary bruteforce attack Various attacks on PeopleSoft users XSS, MiTM, The post PeopleSoft Security part 4 PeopleSoft pentest using TokenChpoken Tool appeared first on ERPScan http://www.secuobs.com/revue/news/590693.shtmlhttp://www.secuobs.com/revue/news/590693.shtml 2015-11-02 06:36:07 - SecurityTube.Net : One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented It will provide clear exploitable patterns so that you can do your own security reviews for these issues Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges For More Information Please Visit - https wwwblackhatcom http://www.secuobs.com/revue/news/588683.shtmlhttp://www.secuobs.com/revue/news/588683.shtml 2015-10-20 01:24:36 - New RFCs : 36KB DOI http://www.secuobs.com/revue/news/587292.shtmlhttp://www.secuobs.com/revue/news/587292.shtml 2015-10-07 14:49:01 - Global Security Mag Online : La démocratisation massive de la tokenisation dans les solutions de paiement ouvre désormais au e-commerce et au m-commerce des possibilités, non seulement concrètes, mais matériellement et techniquement très simples à mettre en œuvre, pour offrir à la clientèle un parcours d'achat vraiment optimisé Le jeton inviolable sera la norme du commerce en ligne comme des applications ou encore du NFC 1 dans 24 à 36 mois Un pari facile à tenir tant l'idéal semble être atteint L'impact majeur des progrès - Points de Vue http://www.secuobs.com/revue/news/585950.shtmlhttp://www.secuobs.com/revue/news/585950.shtml 2015-09-28 15:29:35 - Security Bloggers Network : As we work with customers to help advance their anti-fraud efforts in their online channels, we ve increasingly been asked about the impact of tokenization will it simplify security efforts, or even make some of our existing technologies obsolete as a result of the protection it provides To answer these questions, we need to first The post Tokenization and E-commerce The Silver Bullet We ve Been Looking For appeared first on Speaking of Security - The RSA Blog and Podcast http://www.secuobs.com/revue/news/584898.shtmlhttp://www.secuobs.com/revue/news/584898.shtml 2015-08-31 11:20:35 - Global Security Mag Online : HID Global vient d'étendre sa gamme de produits d'assurance identitaire, avec l'ActivID Flexi Token Cette toute nouvelle solution est particulièrement bien adaptée aux établissements financiers et aux entreprises qui souhaitent disposer d'un clavier PINPAD à un prix compétitif et offrant des capacités de protection avancées pour un déploiement à grande échelle Son token matériel constitue une solution plus flexible en termes de personnalisation graphique et de déploiement, et ses options d'initialisation - Produits http://www.secuobs.com/revue/news/581911.shtmlhttp://www.secuobs.com/revue/news/581911.shtml 2015-08-13 11:43:43 - Security Bloggers Network : New post http wwwcloudidentitycom blog 2015 08 13 adal-3-didnt-return-refresh-tokens-for-5-months-and-nobody-noticed read more http://www.secuobs.com/revue/news/580057.shtmlhttp://www.secuobs.com/revue/news/580057.shtml 2015-07-31 09:43:27 - Help Net Security : The adoption of the cloud continues to grow rapidly with Gartner forecasting 282 billion in spending by 2018 As financial services adopt the cloud, strict compliance regulations and corporate http://www.secuobs.com/revue/news/578981.shtmlhttp://www.secuobs.com/revue/news/578981.shtml 2015-07-31 08:06:30 - HP Security Voltage : A Conversation with Terence Spies Our HP Secure Stateless Tokenization HP SST solution turns three years old, and we caught up with its inventor, Chief Technologist, Terence Spies to talk about it HP SST is an advanced, patented, data security technology that provides enterprises, merchants and payment processors with a new approach to help The post Secure Stateless Tokenization Three Years Later appeared first on HP Security Voltage http://www.secuobs.com/revue/news/578976.shtmlhttp://www.secuobs.com/revue/news/578976.shtml 2015-07-23 10:21:09 - Help Net Security : We have seen a concerning pattern in the recent data breaches, including the breach at the Internal Revenue Services IRS and other US government agencies in that the primary target was Social Securi http://www.secuobs.com/revue/news/578064.shtmlhttp://www.secuobs.com/revue/news/578064.shtml 2015-06-17 22:39:14 - Global Security Mag Online : CARTES SECURE CONNEXIONS 2015, le salon dédié aux solutions sécurisées pour le paiement, l'identification et la mobilité, organise 3 sessions de conférence dédiées à la tokenization L'accélération de l'innovation dans les systèmes de e-paiement montre que l'industrie est prête à répondre aux attentes des utilisateurs de dispositifs portables L'apparition de nouveaux types de prestataires de services, tels que les Token Service Providers , sousentend que le champ d'application de la tokenization ira bien - Points de Vue http://www.secuobs.com/revue/news/574436.shtmlhttp://www.secuobs.com/revue/news/574436.shtml 2015-06-17 17:24:37 - Help Net Security : Six researchers from Indiana University Bloomington, Peking University and Georgia Tech have recently published a paper in which they detail the existence of critical security weaknesses in Apple's OS http://www.secuobs.com/revue/news/574407.shtmlhttp://www.secuobs.com/revue/news/574407.shtml 2015-06-09 11:03:22 - Global Security Mag Online : CipherCloud annonce une tokenisation nouvelle génération, qui vient compléter sa suite de technologies de protection des données Cloud La tokenisation protège les données confidentielles en remplaçant les données textuelles lisibles par un jeton aléatoire sans aucun rapport mathématique avec les données d'origine L'offre qui fait partie intégrante de la plateforme CipherCloud combine une forte protection des données et une recherche en langage naturel En outre, CipherCloud devient le premier CASB - Produits http://www.secuobs.com/revue/news/573433.shtmlhttp://www.secuobs.com/revue/news/573433.shtml 2015-05-20 02:57:05 - New RFCs : 62KB http://www.secuobs.com/revue/news/571302.shtmlhttp://www.secuobs.com/revue/news/571302.shtml 2015-05-20 02:57:05 - New RFCs : 26KB http://www.secuobs.com/revue/news/571298.shtmlhttp://www.secuobs.com/revue/news/571298.shtml 2015-04-08 14:31:50 - Security Bloggers Network : Join Sophos experts Chester Wisniewski and Paul Ducklin as they dissect the latest computer security stories in their inimitable style Turn news into advice with the Sophos Security Chet Chat http://www.secuobs.com/revue/news/566489.shtmlhttp://www.secuobs.com/revue/news/566489.shtml 2015-04-04 07:55:27 - Paul's Security Weekly : Dan Philpott is a Solutions Architect with Natoma Technologies working with Federal customers on cloud computing and federal information security projects His work focuses on federal information security initiatives including FISMA, cybersecurity, FDCC, USGCB, HSPD-12, risk management and other federal information assurance initiatives Has worked on federal cloud computing security with the Cloud Security Alliance and has participated in Federal CIO Council cloud and FedRAMP efforts Founder of FISMApediaorg, information security instructor with Potomac Forum and co-author of FISMA and the Risk Management Framework from Syngress He is fully buzzword compliant and an owner of the coveted Application Security Specialist baseball cap, known in security circles as the ASS hat http://www.secuobs.com/revue/news/566054.shtmlhttp://www.secuobs.com/revue/news/566054.shtml 2015-03-21 01:59:00 - Security Bloggers Network : Woo Hoo It s New Paper Friday Over the past month or so you ve watched Adrian and myself put together our latest work on encryption This one is a top-level overview designed to help people decide which approach should work best for datacenter projects including servers, storage, applications, cloud infrastructure, and databases Now we ve pieced it together into full paper format We d like to thank Vormetric for licensing the content Remember, as always we wrote it using our Totally Transparent Research process and the content is independent and objective Click here to download the full paper Here s an excerpt from the opening Today we see encryption growing at an accelerating rate in data centers, for a confluence of reasons A trite way to summarize them is compliance, cloud, and covert affairs Organizations need to keep auditors off their backs keep control over data in the cloud and stop the flood of data breaches, state-sponsored espionage, and government snooping even by their own governments Thanks to increasing demand we have a growing range of options, as vendors and even free and Open Source tools address this opportunity We have never had more choice, but with choice comes complexity and outside your friendly local sales representative, guidance can be hard to come by For example, given a single application collecting an account number from each customer, you could encrypt it in any of several different places the application, the database, or storage or use tokenization instead The data is encrypted or substituted , but each place you might encrypt raises different concerns What threats are you protecting against What is the performance overhead How are keys managed Does it all meet compliance requirements This paper cuts through the confusion to help you pick the best encryption options for your projects In case you couldn t guess from the title, our focus is on encrypting in the data center applications, servers, databases, and storage Heck, we will even cover cloud computing IaaS Infrastructure as a Service , although we covered it in depth in another paper We will also cover tokenization and discuss its relationship with encryption We would like to thank Vormetric for licensing this paper, which enables us to release it for free As always, the content is completely independent and was created in a series of blog posts and posted on GitHub for public comment - Rich 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/564344.shtmlhttp://www.secuobs.com/revue/news/564344.shtml 2015-03-20 18:22:46 - Security Bloggers Network : New post http wwwcloudidentitycom blog 2015 03 20 azure-ad-token-lifetime read more http://www.secuobs.com/revue/news/564295.shtmlhttp://www.secuobs.com/revue/news/564295.shtml 2015-02-25 18:13:50 - Global Security Mag Online : Gemalto ajoute de nouvelles fonctionnalités importantes concernant le paiement et basés sur la tokenisation à son hub de tiers de confiance Allynis Trusted Services Hub Pour les banques et les fournisseurs de services de paiement qui visent à créer une expérience de paiement mobile simplifiée, Gemalto apporte la solution la plus complète et la plus intégrée, allant de la passerelle de tokenisation mobile jusqu'à l'architecture client-serveur pour l'installation et la validation de la sécurité de - Produits http://www.secuobs.com/revue/news/561143.shtmlhttp://www.secuobs.com/revue/news/561143.shtml 2015-02-19 10:22:13 - Security Bloggers Network : Growing threats from both malicious and non-malicious insiders means data security should be an incredibly high priority for enterprises As Vormetric s 2015 Insider Threat Report noted, 44pourcents of US organizations experienced a data breach or failed compliance audit in the last year This is an alarming number, especially when one considers the amount of valuable data many companies store ClickToTweet Why Tokenization Matters for Your Business AshvinKamaraju DefenderOfData http bitly 1AISpep With malicious actors becoming increasingly sophisticated, the answer is not to The post Tokenization Why It Matters For Your Business appeared first on Data Security Blog Vormetric http://www.secuobs.com/revue/news/560191.shtmlhttp://www.secuobs.com/revue/news/560191.shtml 2015-02-11 18:34:28 - Security Bloggers Network : This is the first post in a new series If you want to track it through the entire editing process, you can follow it and contribute on GitHub Title Cracking the Confusion Encryption and Tokenization for Data Centers, Servers, and Applications The New Age of Encryption Data encryption is long a part of the information security arsenal From passwords, to files, to databases we rely on encryption to protect our data in storage and on the move It s a foundational element of any security professional s education But, despite the long history and deep value of data encryption, adoption inside our data centers and applications has been relatively, even surprisingly, low Today we see encryption growing in the data center at an accelerating rate thanks to a confluence of reasons The trite way to word it is, compliance, cloud, and covert affairs Organizations need to keep auditors off their backs, keep control over data in the cloud, and stop the flood of data breaches, state-sponsored espionage, or even their own government snooping And thanks to increasing demand, there s a growing market of options as vendors and even free and Open Source tools look to meet the opportunity There have never been more choices, but with choices comes complexity, and outside of your friendly local sales representative, guidance can be hard to come by For example, given a single application collecting an account number from your customers, you could potentially encrypt it in different places the application, in the database, in storage, or use tokenization instead The data is encrypted, but where you encrypt presents different concerns What threats is it protecting against What is the performance overhead How are keys managed Does it meet compliance requirements This paper cuts through the confusion to help you pick the best encryption options for your projects If you couldn t guess from the title, our focus is on encrypting in the data center Your applications, servers, databases, and storage Heck, we ll even cover cloud computing infrastructure , although we covered that in depth in this paper We ll also cover the role of tokenization, and it s relationship with encryption We aren t going to cover encryption algorithms, cipher modes, or product comparisons What we do cover are the different high level options and technologies, like when to encrypt in the database vs your application, or what kinds of data are best suited for tokenization We also cover key management, some essential platform features, and how to tie it all together Understanding Encryption Systems When most security professionals first learn about encryption, the focus is on keys, algorithms, and modes We learn the difference between symmetric and asymmetric, and spend a lot of time talking about Bob and Alice Once you start working in the real world, the focus needs to change All the fundamentals are still important, but now you need to put it into practice as you implement encryption systems the combination of technologies that actually protects the data Even the strongest crypto algorithm is worthless if the system around it is full of flaws Before we go into specific scenarios, let s review the basic concepts behind building encryption systems since this becomes the basis for making decisions on exactly which encryption options to go with The Three Components of a Data Encryption System ------------------------------------------------ When encrypting data, especially in applications and data centers, knowing how and where to place these pieces is incredibly important, and one of the most common causes of failure We use all of our data at some point, and understanding where the exposure points are, where the encryption components reside, and how they tie together all determine how much actual security you end up with Three major components define the overall structure of an encryption system are The data The object or objects to encrypt It might seem silly to break this out, but the security and complexity of the system are influenced by the nature of the payload, as well as where it is located or collected The encryption engine The component that handles the actual encryption and decryption operations The key manager The component that handles key and passes them to the encryption engine In a basic encryption system all three components are likely to be located on the same system As an example take personal full disk encryption the built-in tools you might use on your home Windows PC or Mac the encryption key, data, and engine are all stored and used on the same hardware Lose that hardware and you lose the key and data and the engine, but that isn t normally relevant Neither is the key, usually, because it is protected with another key, or passphrase, that is not stored on the system but if the system is lost while running, with the key is in memory, that becomes a problem For data centers, it s likely these major components will reside on different systems, increasing complexity and security concerns over how the three pieces work together - Rich 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/559148.shtmlhttp://www.secuobs.com/revue/news/559148.shtml 2015-02-10 10:11:14 - Security Bloggers Network : You may have seen the recent blog post from Charles Goldberg, which provides an overview of tokenization and our new product offering in this area Here in the UK and Europe, we re seeing specific demand for these capabilities around three key areas, which I d like to highlight here Euro and UK Applications for Tokenisation and Data Masking from Vormetric http bitly 1KH4mR5 PCI DSS If an organisation has any need to handle payment card details, it must adhere to PCI compliance The post What does tokenization mean for our European customers appeared first on Data Security Blog Vormetric http://www.secuobs.com/revue/news/558802.shtmlhttp://www.secuobs.com/revue/news/558802.shtml 2015-02-06 20:19:31 - Security Bloggers Network : new quick post - http wwwcloudidentitycom blog 2015 02 06 requesting-an-aad-token-with-a-certificate-without-adal read more http://www.secuobs.com/revue/news/558423.shtmlhttp://www.secuobs.com/revue/news/558423.shtml 2015-02-05 09:49:40 - Security Bloggers Network : If you were to ask a lot of security professionals what they first think of when they hear the word tokenization, many would immediately reply PCI DSS Those who ve been down the path of a PCI audit know that by leveraging tokenization, they can take databases out of scope, which means they can reduce the time they spend dealing with QSAs, and save a lot of time and money in the process Although PCI DSS compliance is still the primary The post More than a Token Gesture Vormetric Unveils New Tokenization Solution appeared first on Data Security Blog Vormetric http://www.secuobs.com/revue/news/558153.shtmlhttp://www.secuobs.com/revue/news/558153.shtml 2014-12-03 14:57:01 - NP Incomplete : PayPal token Originally uploaded by Adam J O'Donnell Paypal placed this item in everyone's BlackHat backpack This second-factor authentication token, which really should be far more common for consumer websites, has to be the best piece of swag I have ever received in the conference fun bag http://www.secuobs.com/revue/news/548235.shtmlhttp://www.secuobs.com/revue/news/548235.shtml 2014-12-02 16:48:29 - LinuxSecurity.com Latest News : LinuxSecuritycom On Nov 1 of next year, merchants that aren't ready to accept chip-based cards instead of the current magnetic-stripe cards will become liable for fraudulent transactions that today are covered by the credit card companies http://www.secuobs.com/revue/news/548050.shtmlhttp://www.secuobs.com/revue/news/548050.shtml 2014-11-14 10:14:29 - Vigilance vulnérabilités publiques : Un attaquant peut provoquer un Cross Site Scripting de Drupal Addressfield Tokens, afin d'exécuter du code JavaScript dans le contexte du site web http://www.secuobs.com/revue/news/545457.shtmlhttp://www.secuobs.com/revue/news/545457.shtml 2014-10-04 08:59:54 - SecurityTube.Net : Here we use Burp with Macros and Session Handling to get around tokens Synchronizer Token Pattern Anti-CSRF Cross-Site Request Forgery this is 2-3 times more traffic then Recursive Grep Method this is 'easy' and maco can be applied on all attacks not just intruder be sure to check out other Burp Extentions JSON JS decoders are a great help help me get http blogspiderlabscom 2012 09 adding-anti-csrf-support-to-burp-suite-intruderhtml working -rmccurdycom Try to use Makros at Options - Sessions - Session Handling - Add - Rule Actions and enable the Sequencer at the Scope Tab within the Session handling rule editor Looks like you have to define Makros to visit the Link aka call the URL the link points to with the given Token Look around the Sessions-Tab for the appropiate way to accomplish the task http sleepy-tor-8086herokuappcom http blognvisiumcom 2014 02 using-burp-intruder-to-test-csrfhtml http blogsecurenetde 2013 06 07 automated-scanning-with-burp-despite-anti-csrf-token https wwwgooglecom search q burp macros xsrf https wwwnetspicom blog entryid 121 fuzzing-parameters-in-csrf-resistant-applications-with-burp-proxy https wwwnotsosecurecom blog 2014 07 02 pentesting-web-service-with-csrf-token-with-burp-pro IMAGE http://www.secuobs.com/revue/news/538531.shtmlhttp://www.secuobs.com/revue/news/538531.shtml 2014-10-04 08:59:54 - SecurityTube.Net : Here we show some Recursive Grep with BurpSuite for sites that have Synchronizer Token Pattern AKA Anti-CSRF Cross-Site Request Forgery This method is 'faster' and less traffic then macro method macro method logs in every time this method will use the previous request param to submit to its next attack This method from what I can tell does not allow for any other attack but intruder some extensions exit for automating this but I can't find or get them to work If you know any easy method to automate Active scans WITH tokens the non 'relogin every time ' method that would be great rmccurdycom help me get http blogspiderlabscom 2012 09 adding-anti-csrf-support-to-burp-suite-intruderhtml working -rmccurdycom http sleepy-tor-8086herokuappcom http blognvisiumcom 2014 02 using-burp-intruder-to-test-csrfhtml http blogsecurenetde 2013 06 07 automated-scanning-with-burp-despite-anti-csrf-token https wwwgooglecom search q burp macros xsrf https wwwnetspicom blog entryid 121 fuzzing-parameters-in-csrf-resistant-applications-with-burp-proxy https wwwnotsosecurecom blog 2014 07 02 pentesting-web-service-with-csrf-token-with-burp-pro IMAGE http://www.secuobs.com/revue/news/538530.shtmlhttp://www.secuobs.com/revue/news/538530.shtml 2014-09-11 14:53:43 - Security Bloggers Network : Every organization should follow a proactive rather than a reactive approach to protect against threats, risks and vulnerabilities, to which if their IT infrastructure is exposed can lead to data Go on to the site to read the full article IMAGE http://www.secuobs.com/revue/news/534417.shtmlhttp://www.secuobs.com/revue/news/534417.shtml 2014-09-02 09:00:29 - Security Bloggers Network : New post http wwwcloudidentitycom blog 2014 09 01 azure-ad-records-user-consent-for-native-apps-in-the-refresh-token read more IMAGE http://www.secuobs.com/revue/news/532535.shtmlhttp://www.secuobs.com/revue/news/532535.shtml 2014-06-04 16:09:22 - Security Bloggers Network : Today, I wanted to share with you a ground breaking decision by the US Department of State s Directorate of Defense Trade Controls DDTC that impacts all organizations subject to compliance requirements as defined by International Traffic in Arms Regulations ITAR I am pleased to share that Perspecsys received a written ruling from the DDTC confirming The post Perspecsys Tokenization Approved to Secure ITAR Cloud Data appeared first on PerspecSys IMAGE http://www.secuobs.com/revue/news/517073.shtmlhttp://www.secuobs.com/revue/news/517073.shtml 2014-05-30 15:50:32 - Vigilance vulnérabilités publiques : Un attaquant peut provoquer un Cross Site Scripting de Drupal AddressField Tokens, afin d'exécuter du code JavaScript dans le contexte du site web http://www.secuobs.com/revue/news/516300.shtmlhttp://www.secuobs.com/revue/news/516300.shtml 2014-05-30 01:42:57 - Security Bloggers Network : Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with Covert Redirections Spoiler alert there s no catastrophe For those that haven t heard, this started with a paper and series of blog posts by Wang Jing Wang describes an attack against websites that use third-party authentication services and are vulnerable to a specific type of Open Redirection He named this attack Covert Redirection Covert Redirection attacks are actually only one variant of a much larger group of attacks that IMAGE http://www.secuobs.com/revue/news/516203.shtmlhttp://www.secuobs.com/revue/news/516203.shtml 2014-05-09 20:33:44 - Security Bloggers Network : The post Bitly Breached Change Your Passwords, API Keys and OAuth Tokens appeared first on The State of Security IMAGE http://www.secuobs.com/revue/news/512833.shtmlhttp://www.secuobs.com/revue/news/512833.shtml 2014-04-22 12:42:40 - Help Net Security Articles : Cloud adoption shows every sign of continuing to grow The sharing of resources helps businesses achieve savings and agility based on economies of scale but there s a problem cloud computing can also http://www.secuobs.com/revue/news/509550.shtmlhttp://www.secuobs.com/revue/news/509550.shtml 2014-04-22 12:42:27 - Help Net Security News : Cloud adoption shows every sign of continuing to grow The sharing of resources helps businesses achieve savings and agility based on economies of scale but there s a problem cloud computing can also http://www.secuobs.com/revue/news/509549.shtmlhttp://www.secuobs.com/revue/news/509549.shtml 2014-04-02 06:49:14 - Computer Security News : The National Trades Union Congress' 600,000 members who are Singapore residents will now have to use a security token to access the union's website to manage their accounts http://www.secuobs.com/revue/news/506042.shtmlhttp://www.secuobs.com/revue/news/506042.shtml 2014-03-29 03:45:44 - Security Bloggers Network : I had a reseller ask me today, How does SecureAuth support hardware tokens Today, SecureAuth has over 20 methods of authentication, including support for various hardware tokens eg Smart Cards, CAC PIV Cards, HID Cards, NFC Proximity Cards, NFC Tags, Yubikey USB Tokens, Symantic VIP, Entrust IdentityGuard Gridcards, ActiveIdentity, OATH TOTP Tokens, and RSA SecurID SecureAuth The post Hardware Tokens How Does SecureAuth Support Them appeared first on SecureAuth IMAGE http://www.secuobs.com/revue/news/505447.shtmlhttp://www.secuobs.com/revue/news/505447.shtml 2014-03-28 22:04:31 - Security Bloggers Network : Visa, Mastercard and Europay together they are known as EMVCo published a new specification for tokenisation this month Tokenization is a proven security technology and has been adopted by a couple hundred thousand merchants to reduce their PCI audit costs and security exposure of storing credit card information That said, there really is no tokenization standard out there, for payments or otherwise Even the PCI-DSS standard does not address tokenization, so companies have employed everything from hashed credit card PAN values Craptastic to very elaborate and highly secure random value tokenization systems This specification is being provided to both raise the bar on shlock home-grown token solutions, but more importantly, address fraud with existing and emerging payment systems I don t expect many of you want to read 85 pages of token system design to determine what it really means, if there are significant deficiencies, nor contemplate if these are the best approaches to solve payment security and fraud issues So I ll summarize here However, I think this specification will be long lived, so if you build tokenization solutions for a living, you d better get familiar with it For the rest of you, here are some of the important highlights of the proposed specification As you d expect, the specification requires the token format to be similar to credit card numbers 13-19 digits and pass LUHN Unlike financial tokens used today, and at odds with the PCI specification I might add, the token can be used to initiate payments Tokens are merchant or payment network specific, so tokens are only relevant within that specific domain For most use cases the PAN remains private between issuer and the customer The token becomes a payment object shared between merchants, payment processors, the customer and possibly others within the domain There is an identity verification process to validate the requestor of a token each time a token is requested The type of token generated is variable, and based upon risk analysis higher risk factors means a low assurance token When tokens are used as a payment object, there are Data Elements - think of them as metadata that describe the token - to buttress security This includes a cryptographic nonce, payment network data and token assurance level Each of these points has ramifications across the entire tokenization eco-system, so it s not your same ol tokenization platform that will meet these requirements That said, they ve designed the specification so it will work within todays payment systems while addressing near-term emerging security needs Don t let the misspelled title fool you this is a good specification Unlike the PCI s Tokenization Guidance paper from 2011 was rumored to have been drafted by VISA this is a really well thought out document It s clear whoever wrote this has been thinking about tokenization for payments for a long time, and they have really done a nice job providing functions to support all of the use cases this specification needs to address There are facilities and features to address PAN privacy, mobile payments, repayments, EMV smartcard, and even card-not-present web transactions And it represents not just one audience to the detriment of others, but the needs of all of the significant stakeholders are addressed in some way Still, NFC payments seems to be the principle driver as the process and data elements really only gel when considered from that perspective I think this standard is going to stick - Adrian Lane 0 Comments Subscribe to our daily email digest IMAGE http://www.secuobs.com/revue/news/505429.shtmlhttp://www.secuobs.com/revue/news/505429.shtml 2014-03-21 20:41:06 - Voltage Security : The post On Tokenization, Security Current Interview with Terence Spies Part 1 appeared first on Voltage Security http://www.secuobs.com/revue/news/504278.shtmlhttp://www.secuobs.com/revue/news/504278.shtml 2014-03-11 18:37:39 - Security Bloggers Network : Last week, we were fortunate to have Jeff Tutton from Intersec Worldwide join Chris Noell to deliver a very informative and useful webinar on what s changed in the The post PCI DSS 30 Webinar Q A Fines, tokens and P2PE appeared first on Alert Logic IMAGE http://www.secuobs.com/revue/news/502326.shtmlhttp://www.secuobs.com/revue/news/502326.shtml 2014-03-05 15:26:49 - Security Bloggers Network : The popular Twitter client has hit a dead end because of Twitter's imposed access token limits set in place by the microblogging company in August of 2012 read more IMAGE http://www.secuobs.com/revue/news/501252.shtmlhttp://www.secuobs.com/revue/news/501252.shtml 2014-03-03 20:18:04 - Security Bloggers Network : New post http wwwcloudidentitycom blog 2014 03 03 principles-of-token-validation read more IMAGE http://www.secuobs.com/revue/news/500869.shtmlhttp://www.secuobs.com/revue/news/500869.shtml 2014-02-17 00:06:47 - Security Bloggers Network : New post in http wwwcloudidentitycom blog 2014 02 16 a-sample-windows-phone-8-app-getting-tokens-from-windows-azure-ad-and-adfs read more IMAGE http://www.secuobs.com/revue/news/498206.shtmlhttp://www.secuobs.com/revue/news/498206.shtml 2014-02-13 14:51:17 - Network World on Security : A group representing 22 of the world's largest banks is pushing for broad adoption in the US of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa smartcard standard over the next two years http://www.secuobs.com/revue/news/497665.shtmlhttp://www.secuobs.com/revue/news/497665.shtml 2014-02-07 19:01:14 - Security Bloggers Network : 2-Factor Authentication 2FA was developed as soon as it was made clear that anyone can access any private resource with just basic user information The most traditional solutions include the use of 2FA tokens, which worked well when there were no alternatives and before the leaked algorithm revelation but now, in 2014, 2FA tokens simply IMAGE http://www.secuobs.com/revue/news/496633.shtmlhttp://www.secuobs.com/revue/news/496633.shtml 2014-02-06 22:10:30 - Dark Reading All Stories : Server Engine 72 include One Swipe technology, with lets users authenticate themselves with a one-time QR code http://www.secuobs.com/revue/news/496432.shtmlhttp://www.secuobs.com/revue/news/496432.shtml 2014-01-24 21:04:38 - Security Bloggers Network : This blog post presents a powerful feature of ModSecurity v27 that has been highly under-utilized by most users HMAC Token Protection There was a previous blog post written that outlined some usage examples here, however we did not properly demonstrate the protection coverage gained by its usage Specifically, by using the HMAC Token Protection capabilities of ModSecurity, you can reduce the attack surface of the following attacks vulnerabilities Forceful Browsing of Website Content Automated Botnet Attacks Manipulation of Query String Parameters Reflected Cross-Site Scripting Cross-Site Request Forgery CSRF Protection Excerpts of this blog post will discuss Recipe 1-2 Preventing Data Manipulation IMAGE http://www.secuobs.com/revue/news/493971.shtmlhttp://www.secuobs.com/revue/news/493971.shtml 2014-01-15 18:49:12 - SecurityTube.Net : Extracting keys from FPGAs, OTP Tokens and Door Locks Side-Channel and other Attacks in Practice Side-channel analysis SCA and related methods exploit physical characteristics of a cryptographic implementations to bypass security mechanisms and extract secret keys Yet, SCA is often considered a purely academic exercise with no impact on real systems In this talk, we show that this is not the case Using the example of several wide-spread real-world devices, we demonstrate that even seemingly secure systems can be attacked by means of SCA with limited effort This talk briefly introduces implementation attacks and side-channel analysis SCA in particular Typical side-channels like the power consumption and the EM emanation are introduced The main focus is then on three case studies that have been conducted as part of the SCA research of the Chair for Embedded Security Ruhr-Uni Bochum since 2008 The first example are FPGAs that can be protected against reverse-engineering and product counterfeit with a feature called bitstream encryption Although the major vendors Xilinx and Altera use secure ciphers like AES, no countermeasures against SCA were implemented As a second example, a wide-spread electronic locking system based on proprietary cryptography is analyzed The target of the third case study is a popular one-time password token for two-factor authentication, the Yubikey 2 In all three cases, the cryptographic secrets could be recovered within a few minutes to a few hours of measurements, allowing an adversary to decrypt FPGA bitstreams, to clone Yubikeys, and to open all locks in an entire installation, respectively In conclusion, we summarize possible countermeasures against the presented attacks and describe the communication with the respective vendors as part of a responsible disclosure process For More Information please visit - https eventscccde congress 2013 wiki Main_Page IMAGE http://www.secuobs.com/revue/news/491797.shtmlhttp://www.secuobs.com/revue/news/491797.shtml 2014-01-04 03:59:03 - Reverse Engineering : submitted by tecepe link comment http://www.secuobs.com/revue/news/489666.shtmlhttp://www.secuobs.com/revue/news/489666.shtml 2013-12-26 09:38:33 - Vigilance vulnérabilités publiques : Un attaquant peut inviter la victime à ouvrir un document Office sur un serveur distant, afin d'obtenir le token d'authentification pour un serveur SharePoint http://www.secuobs.com/revue/news/488414.shtmlhttp://www.secuobs.com/revue/news/488414.shtml 2013-12-17 18:34:20 - Security Bloggers Network : The post Office 365 Token Disclosure Vulnerability Exposes Credentials appeared first on The State of Security http://www.secuobs.com/revue/news/486899.shtmlhttp://www.secuobs.com/revue/news/486899.shtml 2013-12-13 01:09:21 - Slashdot Your Rights Online : First time accepted submitter Austrian Anarchy writes with this story via Reason and based on a report at Wired about a maker of physical Bitcoin tokens Quoting from Reason's take Mike Caldwell ran a business called Casascius that printed physical tokens with a bitcoin digital key on it, key hidden behind a tamper proof strip He'd charge 50 worth of bitcoin to print a bitcoin key you sent him via computer on this token Cool stuff--a good friend of mine found one sitting unnoticed in her tip jar from an event at which she sold her artisan lamps from 2011 and was naturally delighted given the nearly 1000x increase in value of a bitcoin since then So, you're making something fun, useful, interesting, harmless--naturally the federal government is very concerned and wants to hobble you 'Just before Thanksgiving, Caldwell received a letter from the Financial Crimes Enforcement Network, or FINCEN, the arm of the Treasury Department that dictates how the nation s anti-money-laundering and financial crime regulations are interpreted According to FINCEN, Caldwell needs to rethink his business They considered my activity to be money transmitting, Caldwell says And if you want to transmit money, you must first jump through a lot of state and federal regulatory hoops Caldwell hasn't jumped through' IMAGE IMAGE Share on Google Read more of this story at Slashdot IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/486020.shtmlhttp://www.secuobs.com/revue/news/486020.shtml 2013-12-12 16:07:57 - Security Bloggers Network : In the last few years, we have seen the mobile space explode with malware According to a recent report by Trend Micro, the number of malware and high-risk apps available on the Android platform has crossed the one million mark, growing more than a tho http://www.secuobs.com/revue/news/485941.shtmlhttp://www.secuobs.com/revue/news/485941.shtml 2013-11-28 16:23:36 - Netsparker Web Application Security Scanner : After releasing 7 updates in 2010 in total of 16 security checks and 15 new features, here is the first Netsparker update of 2011 Anti-CSRF Token Support If you ever tried to test a website with strict anti-CSRF manually or automatically, you would know how irritating it can get It is also very hard to exploit vulnerabilities in these applications where many tools do not support Anti-CSRF tokens Netsparker 1833 comes with Anti-CSRF token support in detection, confirmation and exploitation By default, it automatically works with the following frameworks languages ASPNET and ASPNET MVC Struts2 ColdFusion PHP Symfony,CodeIgniter,Zend You can go to Settings F4 Attacking to configure it according to your custom applications Enjoy Brute Force Support Now when Netsparker sees a resource that requires Basic, NTLM or Digest Authentication, it automatically tries a list of known username and passwords and reports if it manages to find a valid credential You can change Brute Force related settings from Settings F4 Brute Force New Checks Frame Injection Possible Sensitive Files Detection Categories Log, Stats, Installation,Configuration,Administration, Database Backdoor Detection Tomcat Source Code Disclosure Tomcat Default Pages Identification Form Authentication Improvements AJAX support added to Form Authentication Netsparker supported AJAX in crawling since the first release however it wasn t supported in From Authentication and we finally addressed this issue RegEx option added to Signatures New Source Code View added Logged In Out Views improved Addressed an issue that where some characters such as ' cause problems in Configure Authentication if they are used in usernames or passwords Other Improvements Heuristic Binary Response Detection added This will increase the speed and coverage of scans Extension Blacklisting slightly changed Now Netsparker determines automatically whether a URL is static or a dynamic file New checks added to XSS Engine Confirmation added to external JS injection in XSS Engine An advanced Negative Match option added to Advanced Settings click to Settings while holding down Ctrl to enable Negative Matching option in Configure Form Authentication Minor charset related bugs addressed Basic Authentication issues were not reported if the user manually entered a Basic Authentication Vulnerable parameter was reported incorrectly in Permanent XSS issues If there is a Path or Internal IP Disclosures in HTTP Headers, Netsparker will report those as well Some issues were not reported if they were in 404 pages Several other minor changes and improvements If you have a valid Netsparker Professional or Standard license, then all you need to do is, to click Help Check Updates to update to Netsparker s latest version IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/483455.shtmlhttp://www.secuobs.com/revue/news/483455.shtml 2013-11-21 08:04:35 - Help Net Security News : Intrinsic-ID released Saturnus, an application that enables enterprises to protect digital assets stored and shared on Dropbox With Saturnus, files are encrypted before they leave the device and http://www.secuobs.com/revue/news/482299.shtmlhttp://www.secuobs.com/revue/news/482299.shtml 2013-11-04 21:07:13 - PaulDotCom Security Weekly : Dan Philpott is a Solutions Architect with Natoma Technologies working with Federal customers on cloud computing and federal information security projects His work focuses on federal information security initiatives including FISMA, cybersecurity, FDCC, USGCB, HSPD-12, risk management and other federal information assurance initiatives Has worked on federal cloud computing security with the Cloud Security Alliance and has participated in Federal CIO Council cloud and FedRAMP efforts Founder of FISMApediaorg, information security instructor with Potomac Forum and co-author of FISMA and the Risk Management Framework from Syngress He is fully buzzword compliant and an owner of the coveted Application Security Specialist baseball cap, known in security circles as the ASS hat http://www.secuobs.com/revue/news/478976.shtmlhttp://www.secuobs.com/revue/news/478976.shtml 2013-10-31 10:18:24 - Help Net Security News : In today's ever-evolving technological landscape, the data that defines and drives your business is increasingly susceptible to corruption and theft Financial transactions, payroll information a http://www.secuobs.com/revue/news/478150.shtmlhttp://www.secuobs.com/revue/news/478150.shtml 2013-10-30 01:32:10 - Security Bloggers Network : A researcher has discovered serious vulnerabilities in the main Facebook and Facebook Messenger apps for Android that enable any other app on a device to access the user s Facebook access token and take over her account The same researcher also discovered a separate, similar flaw in the Facebook Pages Manager for Android, an app that allows admins to manage multiple Facebook accounts That bug also enables other apps to grab a user s access token The vulnerabilities were discovered earlier this year by Mohamed Ramadan, a researcher at Attack Secure, who reported them to Facebook and was rewarded with 6,000 in bug bounties The first vulnerability lies in the way that the main Facebook app and the Facebook Messenger app for Android devices handles a user s http://www.secuobs.com/revue/news/477894.shtmlhttp://www.secuobs.com/revue/news/477894.shtml 2013-10-29 10:40:02 - Security Bloggers Network : New port http wwwcloudidentitycom blog 2013 10 29 using-adals-acquiretokenby-authorizationcode-to-call-a-web-api-from-a-web-app read more http://www.secuobs.com/revue/news/477713.shtmlhttp://www.secuobs.com/revue/news/477713.shtml 2013-10-28 07:24:54 - Network World on Security : Buffer, a service for scheduling social media posts, said Sunday it has strengthened its security after spammers gained access to its network http://www.secuobs.com/revue/news/477437.shtmlhttp://www.secuobs.com/revue/news/477437.shtml 2013-10-24 14:23:17 - Security Bloggers Network : Akamai CSO Andy Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry http://www.secuobs.com/revue/news/476775.shtmlhttp://www.secuobs.com/revue/news/476775.shtml 2013-10-14 11:22:20 - Security Bloggers Network : see http wwwcloudidentitycom blog 2013 10 14 adal-windows-azure-ad-and-multi-resource-refresh-tokens read more http://www.secuobs.com/revue/news/474441.shtmlhttp://www.secuobs.com/revue/news/474441.shtml 2013-10-10 19:35:40 - Voltage Security : The post Easier Data Encryption and Tokenization for z OS Mainframe appeared first on Voltage Security http://www.secuobs.com/revue/news/473883.shtmlhttp://www.secuobs.com/revue/news/473883.shtml 2013-10-09 17:34:57 - Dark Reading All Stories : Kili Technology was founded by SecureKey Chairman Greg Wolfond with funding from Toronto-based Blue Sky Capital http://www.secuobs.com/revue/news/473544.shtmlhttp://www.secuobs.com/revue/news/473544.shtml 2013-10-06 03:05:28 - Security Bloggers Network : This week's compromise of Adobe's systems demonstrates once again that no organization is completely safe One method to reduce risk related to business impact is to stop storing sensitive data by replacing it with tokens http://www.secuobs.com/revue/news/472840.shtmlhttp://www.secuobs.com/revue/news/472840.shtml 2013-10-02 18:28:57 - Security Bloggers Network : IPsec is widely used protocol that allows access to enterprise resources since early 90 s The authentication is provided with a valid username and password combination so far So what if we want to change this username password authentication to something like username OATH OTP and still have a successful Cisco IPsec connection And yes its now possible http://www.secuobs.com/revue/news/472135.shtmlhttp://www.secuobs.com/revue/news/472135.shtml 2013-10-01 19:19:09 - Security Bloggers Network : See http wwwcloudidentitycom blog 2013 10 01 getting-acquainted-with-adals-token-cache read more http://www.secuobs.com/revue/news/471897.shtmlhttp://www.secuobs.com/revue/news/471897.shtml 2013-09-22 19:35:33 - securitystream.info : Mobistealth can be a popular cellphone and pc monitoring application which has garnered excellent buyer testimonials It s different applications made to check children, spouses and employees, track and spot their location, sustaining log of calls and messages Essentially, mobistealth is spy software program aimed atRead more http://www.secuobs.com/revue/news/470131.shtmlhttp://www.secuobs.com/revue/news/470131.shtml 2013-08-23 19:16:23 - Help Net Security News : Today s CIOs and CISOs are facing continued pressure to adopt the cloud enterprise-wide while managing the increasing operational and security risks associated with it While the challenge can be http://www.secuobs.com/revue/news/464662.shtmlhttp://www.secuobs.com/revue/news/464662.shtml 2013-08-23 00:15:51 - New RFCs : 23KB This document proposes an additional endpoint for OAuth authorization servers, which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed This allows the authorization server to clean up security credentials A revocation request will invalidate the actual token and, if applicable, other tokens based on the same authorization grant http://www.secuobs.com/revue/news/464507.shtmlhttp://www.secuobs.com/revue/news/464507.shtml 2013-08-21 22:35:16 - Security Bloggers Network : The microblogging site said no accounts have been compromised after a hacker claimed to have acquired user details by allegedly breaking into its databases http://www.secuobs.com/revue/news/464276.shtmlhttp://www.secuobs.com/revue/news/464276.shtml 2013-08-21 15:15:07 - Security Bloggers Network : 1 Introduction One-time passwords are used to achieve higher security than traditional static passwords They re often generated by tokens This article presents how tokens synchronous and Go on to the site to read the full article IMAGE http://www.secuobs.com/revue/news/464167.shtmlhttp://www.secuobs.com/revue/news/464167.shtml 2013-07-19 22:58:34 - Dancho Danchev's Blog Mind Streams of Information Security Knowledge : One of the most common questions that I get during Q A sessions after a PPT, or in a face-to-face conversation is - Hello, my name is name , I represent random financial institution Are we being targeted based on your situational awareness For years, virtually every company, every brand, every financial institution has been targeted, largely thanks to the rise of Crimeware-as-a-Service IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/458066.shtmlhttp://www.secuobs.com/revue/news/458066.shtml 2013-05-22 20:12:52 - Security Bloggers Network : Semiconductor Giant Drops Hard Tokens to Save Big At Marvell Technology Group, which makes more than one billion semiconductor chips a year, security is a critical task The company recently jettisoned its hard token approach to two-factor authentication in favor of a soft token system http://www.secuobs.com/revue/news/447085.shtmlhttp://www.secuobs.com/revue/news/447085.shtml 2013-04-30 11:39:46 - Global Security Mag Online : In-Webo Technologies annonce le lancement d'un Cloud Token dénommé Helium Helium est un Cloud Token , c'est-à-dire un outil d'authentification pur web L'avantage Tout site, professionnel comme Grand Public, peut désormais bénéficier de l'authentification forte pour protéger ses services, sans avoir à distribuer ni faire installer le moindre composant matériel ou logiciel par l'utilisateur, pas même un certificat L'utilisateur définit simplement son mot de passe lors de la première connexion au - Produits http://www.secuobs.com/revue/news/442644.shtmlhttp://www.secuobs.com/revue/news/442644.shtml 2013-04-19 19:47:49 - Security Bloggers Network : The use of tokenization continues to climb as customers look to simplify PCI-DSS compliance With this increased adoption comes a lot of vendor positioning and puffery in order to differentiate their products in an increasingly competitive market And it s this competitive positioning that often causes confusion with buyers and why I have spent my last two mornings answering questions on FPE vs Tokenization, and what is the difference between a token vault and a database Most questions of late center on this later subject, tokenization data vaults, with corresponding vendor hyperbole that s creating some confusion In this post I will help define what a token vault is, and shed some light on the pro s and cons The goal is to help you, the consumer, determine for yourself if it s something you need to consider when selecting tokenization solution So what is a token vault It s where you store your tokens once they have been issued When using a tokenization solution, the issued tokens along with the credit card numbers they represent need to be recorded The storage location is what s called a token vault The token vault usually contains other information, but for the purpose of this discussion, just think of the token vault as a long list of CC -token pairs And as this debate is mainly applicable to credit card processing token solutions, I ll keep the focus there A new type of solution called stateless or vault-less tokenization is now available These systems use derived tokens, or tokens that can be recalculated from some secret value, and need not be stored in a database The press hype underway is that token vaults are bad, and that you should stay away from them The principle discussion point is You don t want a relational database as a token vault , or more specifically, An Oracle database token vault is slow and expensive, and customers don t want that Not so fast The issue is not that clear cut It s not that token vaults are good or bad, but like most technologies there are tradeoffs Token vaults are fine for many types of customers, and they re not so go for others There are three issues at the heart of this debate cost, scale and performance Let s take a closer look at each Cost If you are going to use Oracle, IBM DB2 or Microsoft SQL Server database for your token vault, you ll need a license to operate that database And as you ll need redundancy, you ll need a couple databases, and correspondingly a couple of licenses If you want to ensure that the tokenization system can handle large bursts of transactions say holiday shopping periods you ll need big servers As databases are priced on the capacity of the server, these licenses can get very expensive That said, many customers running in-house tokenization systems already have database site licenses, so lots of customers simply don t see this as an issue Scale If you have data processing sites, where your token servers are dispersed across remote data centers that cannot guarantee 24 7 communication uptime, synchronization of token vaults is a serious issue You want to ensure that credit cards are not being mis-used, that you have transactional consistency across all locations, and that a token is only issued to one customer or transaction With stateless or vault-less tokenization, synchronization is inherent to the design If consistency across a scaled tokenization deployment is critical to you, this makes derived tokens incredibly attractive But some non-derived token systems with a token vault get around this issue by allocating different token sequences to ensure tokens are unique and latency in synching systems is not a big issue When it comes down to it, this is a critical advantage for very large credit card processors and merchants, but it s not a universal requirement Performance Some token servers designs require a check into the token vault, prior to completing a transaction, to see if a credit card or token is already present in the database This is especially true when a single token is used to represent multiple transactions or merchants ie multi-use tokens By and large early tokenization solutions have bad database architectures They don t provide an efficient means of indexing token CC pairs for quick lookup It s not the database that was the problem, it was the token vault designer s failure As the number of tokens climbs into the tens or hundreds of millions, lookup operations are really slow Many customers have a bad impression of the token vault because early implementations got this part wrong So very wrong Today, lookup speed is not always a problem, but the customer needs to verify that any given solutions meets their requirements during peak loads For some customers a vault-less tokenization solution can provide advantages in all three categories Other customers have deep understanding of relational databases, so security, performance and scalability are just part of daily operations management No vendor can claim that databases or token vaults are universally the wrong choice, in the same way that no one can claim non-relational solution is always the right choice The decision comes down to the customer s environment and IT operations I m willing to bet that the vendors of the solutions I am describing will have some additional comments, so as always, the comments section is open to all who want to add to this discussion - Adrian Lane 0 Comments Subscribe to our daily email digest http://www.secuobs.com/revue/news/440678.shtmlhttp://www.secuobs.com/revue/news/440678.shtml 2013-04-19 17:06:50 - LinuxSecurity.com Latest News : LinuxSecuritycom Last week I talked about the importance of deploying honeypots to catch malicious hackers and malware But there's a related tool that's craftier and even easier to deploy the honeytoken http://www.secuobs.com/revue/news/440640.shtmlhttp://www.secuobs.com/revue/news/440640.shtml 2013-04-05 01:32:34 - 1 Raindrop : Tokenization is a major trend in application and data security and Gateways are an ideal location to deploy tokenization services Tokenization replaces sensitive data with benign data The classic example here is PCI DSS, and the business value of tokenization is summed up here Now I am no graphic designer, but let me take advantage of the Chinese saying that 1,001 words is worth more than a picture As much as I like the graphic above it does not tell http://www.secuobs.com/revue/news/437762.shtmlhttp://www.secuobs.com/revue/news/437762.shtml 2013-03-28 16:51:06 - Dinis Cruz Blog : In the The Power of UnitTests when refactoring code for example Security Pages post I showed the new TeamMentor feature of password reset This post shows an updated version of it which now stores the password reset tokens using PBKDF2 hashing To start, open Bbot, and click on the New Random User link image Which will quickly create a test user for us to use image Copy the email address, and use it on the passwordForgot page link available from the login dialog page image Once the email is submitted image You can go to TBot s View Emails Sent page image Where you can see the email that was supposed to be sent to the user the SMTP password is not set-up on this server, which is why the email was not sent and shown in read image Here is the email sent to the user with the password reset details Hi FName LName, a password reminder was requested for your account You can change the password of your test_user_SiZif account using https teammentor-33-ciazurewebsitesnet 443 passwordReset test_user_SiZif 762cb15a-fa30-44f9-bcdc-1393c487bbc6 If you didn't make this request, please let us know at support teammentornet Copy the password reset url, open it on the browser and set a password image Once the password is successfully changed, you can login as that user image image Another way to test this feature, is to go to the TBot s Current Users page image Select the desired user image And click on the open password reset page link image Which will open the password reset page for this user with a valid token which can only be used once image Note that if you open the Raw Xml Data page for this user image You will see that the password token is stored as a long hash very similar to the password one image IMAGE http://www.secuobs.com/revue/news/436392.shtmlhttp://www.secuobs.com/revue/news/436392.shtml 2013-02-18 02:50:45 - SecurityTube.Net : On April 14, 2009 Microsoft released a patch documented here to fix the issues detailed in my previous Token Kidnapping presentation download PDF The patch properly fixed the issues but This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7 These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc in some specific scenarios Exploits code for those services will be released The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc allowing the participants to learn how to easily find these kind security issues in Windows operating systems IMAGE http://www.secuobs.com/revue/news/428271.shtmlhttp://www.secuobs.com/revue/news/428271.shtml 2013-02-08 12:06:29 - Security Bloggers Network : Writing this blog post or dowloading Adera Episode 3 Why do I even ask, I already know the answer - Today I want to tell about one of the patterns behind Windows Azure Active Directory I call it the multitenant STS pattern, which is a pretty descriptive name IMO and seem to have caught up internally, but as usual and as everything discussed here that s not an official denomination Also, I want to introduce you to the ValidatingIssuerNameRegistry, one new WIF component we introduced to quietly help you to better take advantage of this new construct Ceci N est Pas un Federation Provider image If you followed the Windows Azure Active Directory developer preview epopee so far, you already know that among its many great features there is the ability of supporting multi-tenant applications As shown in the tutorial here, you can easily offer access to the same SaaS application to multiple directory tenants That comes with the standard laundry list of things you need to take care of when developing multitenant applications home realm discovery, tenant isolation enforcement, provisioning, and similar remember FabrikamShipping I am still super-proud of it - For many already versed in the claims-based arts, that might look like a sure tell sign that Windows Azure Active Directory is, or at least includes, an STS in the federation provider role You ll be surprised to read that in fact that is not the case To be more precise yes, a federation provider does come into play but that is NOT what allows your application to leverage Windows Azure Active Directory to handle authentication from multiple organizations What allows that is the multitenant nature of Windows Azure AD itself Federation Provider ------------------- By now a lot of you will be wondering what is this federation provider thingy he is blabbering about Without rewriting the many good explanations that abound on the internet, here there s a quick primer with some oversimplification for the sake of readability If you already know what a FP is, please jump to the next section without collecting the 200 You are already familiar with the notion of identity provider, or IP, or IdP it is one entity that knows about a certain user population, has the ability of authenticating users and does so via well-known protocols The main tool used by the IP to exercise its prerogative is the Security Token Service, or STS in this specific case, an STS is an endpoint that is capable of receiving user credentials, validating them, look up user attributes and packaging them in a security token SAML, JWT remember those Say that a developer wants to restrict access to a certain app to the user population controlled by the IP The developer will configure the application to trust the IP, which means that the app will rely hence RP on the IP to authenticate users and faithfully represent the outcome in a security token Wow, I can t believe how long it has been since I explained this - I guess I didn t realize how ubiquitous claims-based identity became in the last few years Amazing Anyway picture image Now, imagine that your app wants to work with many different user populations that means establishing trust with many IPs That can be onerous, given that IPs might all be very different from each other and require different logic for integration furthermore, onboarding of new ones would likely disrupt operations and require major overhauling In other words, in the general case that s something you d be often happy to offload somewhere else Well, as it turns out, that s easy The trust establishment process described for the IP can be iterated An STS A can be considered an app in itself and as such, it can trust another IP or, more precisely, its STS B So now you d have an application which offloads authentication to STS A, and STS A in itself would offload authentication to STS B But that s great Now you can have STS A also trust STS C, D and E without really having to touch the application s code STS A is an intermediary which handles trust relationships when an entity plays that role, we say that it is a federation provider FP That s largely because originally the various A, B, C represented different organizations, and a trust between organizations is a federation though once we have an STS that can act as an intermediary we can apply its capabilities also in situations where there are no organizational boundaries image Examples of STSes with FP capabilities abound ACS20 and ADFS v2 are the first that come to mind For example, by trusting an ACS20 namespace your app just needs to deal with ACS integration only one endpoint to connect to, only one key for verifying incoming tokens, and so on ACS takes care of contacting Facebook, Google, Microsoft Account, Yahoo , OpenID and ADFS2 instances bearing all the brunt of speaking the different protocols they require The custom of using an FP façade when there are multiple STSes is so common that, out of the box, applications using WIF expect to trust only one STS at a time Multitenant STS --------------- As it exists today, Windows Azure AD is not really a FP for your applications If anything, it is an IP or rather, it defines an IPs space Too abstract Keep reading Windows Azure AD offers to organizations the infrastructure for running their own IP within it Tenants are modeled after a template which represents a generic identity provider, with parameterized endpoints for its various protocol heads The STS endpoint corresponding to a certain organization is obtained by instantiating its tenant ID in the parameter of the endpoint template The issuing infrastructure is shared, as you would expect from a multitenant system, but from the protocol perspective there are as many IPs as there are tenants in Windows Azure AD image For example say that the template for the WS-Federation endpoint is https accountsaccesscontrolwindowsnet TENANTID v2 wsfederation Say that the tenant ID of TreyResearch is 929bfe53-8d2d-4d9e-a94d-dd3c121183b4 An application that wants to authenticate users from TreyResearch will have to send signin messages to https accountsaccesscontrolwindowsnet 929bfe53-8d2d-4d9e-a94d-dd3c121183b4 v2 wsfederation Want to obtain the STS endpoint of Fabrikam Find the tenantID, instantiate it in the template, and you got it Ah, and finding the tenant ID is not hard you can simply look in the entityID of the metadata document, also in form of endpoint template but admitting the more human-friendly domain name eg https accountsaccesscontrolwindowsnet treyresearch1onmicrosoftcom FederationMetadata 2007-06 FederationMetadataxml Validating Tokens from a Multitenant STS The multitenant STS pattern is a clever way of offering to organizations their very own IP instance, to manage at their whim, while still leveraging a shared, consistent infrastructure One aspect of the Windows Azure AD STS infrastructure is that it uses the same certificate for every tenant Tokens from Windows Azure AD are all signed with the same certificate, a bit like every bank check from a WoodGrove Bank booklet are all printed one the same hard-to-falsify patterned sheets Per the same analogy when you receive a bank check as payment I am sure you ll find reassuring to confirm that it is not printed on a crumpled post-it However, that s not the main factor that makes you decide that the check is good you normally associate the validity of the check to the entity that is writing it for you Somebody giving you the impression of being a con artist would probably not convince you to accept a check, even if it s written on a mint condition official booklet page What does it mean in term of tokens It means that just because a token is coming from Windows Azure AD does not mean that your app should accept it You should accept it if it comes form Windows Azure AD AND it has been issued by the tenant you are in business with And how do you verify it Simple You need to check that the thumbprint of the certificate used to sign the token corresponds to the one you saved in your config AND it means that you have to verify that the element for SAML substitute with element of equivalent semantic for other formats corresponds to the value you saved at trust establishment time, which typically means the entityID read from the metadata and containing the ID of the specific tenant you want There s more Say that you are selling access to your application to multiple Windows Azure AD tenants You still want to validate the same thumbprint, but now you want to be able to look up the incoming value in a list of multiple candidates, based on the IDs of all the tenants you are in business with In the WIF classes you find out of the box in NET 45 verifications of that kind are normally performed by the IssuerNameRegistry and specifically, by its concrete implementation ConfigurationBasedIssuerNameRegistry However ConfigurationBasedIssuerNameRegistry does not actually allow you to specify multiple issuer names per one thumbprint Furthermore, ConfigurationBasedIssuerNameRegistry does not validate the incoming element the Name attribute in the config element is just an alias for the IP using the corresponding certificate, as established at trust establishment time Its only effect is to determine the value of the Issuer property of the claims in the ClaimsPrincipal Introducing ValidatingIssuerNameRegistry ---------------------------------------- Well, well, well Today we released a new NuGet containing an assembly with the class ValidatingIssuerNameRegistry, a new IssuerNameRegistry implementation which does validate incoming s and offers a new configuration element schema to accommodate multiple issuer names ValidatingIssuerNameRegistry also comes with a nice extensibility model, which allows you to plug your own validation logic if, for example, your list of trusted tenants grows and shrinks dynamically hence better stored outside of webconfig If you studied the multitenant application tutorial, you know that there we solved the issue by providing a custom handler for SAML tokens however the shortcoming of that solution is that it is scoped to only that token type, which is one of main reasons for which we opted for an IssuerNameRegistry implementation for a more strategic solution Here there s how a basic ConfigurationBasedIssuerNameRegistry config entry maps to the new ValidatingIssuerNameRegistry format The old one And the new one We now have a new construct, authority An authority can have multiple issuerValues, to meet the requirements described earlier Although the structure suggests it can also have multiple keys, in the case of Web SSO there will always be just one Easy, right In some future post or at the next revamp of the multitenant app tutorial I ll discuss how to write your custom extension for reading issuers from external storage As we update our tools, we will include logic to automatically generate ValidatingIssuerNameRegistry config elements and add a reference to the corresponding NuGet in your projects But even before that, if you work with Windows Azure AD it is important that you use the ValidatingIssuerNameRegistry instead of the in-box ConfigurationBasedIssuerNameRegistry As you can see, that s actually pretty straightforward - IMAGE http://www.secuobs.com/revue/news/426524.shtmlhttp://www.secuobs.com/revue/news/426524.shtml 2013-02-05 23:46:13 - Security Bloggers Network : 'Tis the season to be hacked, I guess Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users While the data that was allegedly exposed, inc http://www.secuobs.com/revue/news/425957.shtmlhttp://www.secuobs.com/revue/news/425957.shtml 2013-01-14 10:26:06 - Help Net Security News : SecurEnvoy has partnered with PasswordBank to bring the leading tokenless two-factor authentication capabilities to the PasswordBank identity management offering Customers will be able to access c http://www.secuobs.com/revue/news/421567.shtmlhttp://www.secuobs.com/revue/news/421567.shtml 2013-01-10 21:36:18 - Security Bloggers Network : PasswordBank http://www.secuobs.com/revue/news/421065.shtmlhttp://www.secuobs.com/revue/news/421065.shtml 2012-12-20 07:43:10 - SecurityPark.net : The world leader in data-centric encryption and key management, Voltage Security , announced the general availability of Voltage Secure Stateless Tokenization SST technology, an advanced, patent-pending data security solution that provides enterprises, merchants and payment processors with a new approach to help assure protection for payment card data, with significant Payment Card Industry Dat more http://www.secuobs.com/revue/news/418011.shtmlhttp://www.secuobs.com/revue/news/418011.shtml 2012-12-20 06:19:04 - Help Net Security News : Voltage Security announced its Stateless Tokenization SST technology, a patent-pending data security solution that provides enterprises, merchants and payment processors with a new approach to help http://www.secuobs.com/revue/news/418004.shtmlhttp://www.secuobs.com/revue/news/418004.shtml 2012-12-20 02:59:38 - Security Bloggers Network : Voltage SST technology is offered as part of the Voltage SecureData Enterprise data security platform http://www.secuobs.com/revue/news/417969.shtmlhttp://www.secuobs.com/revue/news/417969.shtml 2012-12-19 02:04:15 - Security Bloggers Network : Solution providing enterprises, merchants, and payment processors with a new approach to protecting payment card data http://www.secuobs.com/revue/news/417709.shtmlhttp://www.secuobs.com/revue/news/417709.shtml 2012-11-21 10:30:02 - Security Bloggers Network : The JWT handler class diagram, spanning 3 monitors - Today I am really, really happy to announce the developer preview of a new extension that will make the JSON Web Token format JWT a first-class citizen in the NET Framework the JS http://www.secuobs.com/revue/news/412652.shtmlhttp://www.secuobs.com/revue/news/412652.shtml 2012-11-10 23:41:25 - Privacy Security Crypto and smart dust : by Simon Sharwood Two-factor authentication just got a whole lot more convenient for residents of Singapore, after Standard Chartered Bank s local outfit teamed with MasterCard to offer account-holders a credit card that is also a one-time-password-generating hard token See full article here http://www.secuobs.com/revue/news/410753.shtmlhttp://www.secuobs.com/revue/news/410753.shtml 2012-11-08 10:48:27 - Help Net Security News : Yubico announced the production launch of the YubiKey NEO, a new authentication token that features Near Field Communications NFC technology, asymmetric cryptography support and mobile security with http://www.secuobs.com/revue/news/410284.shtmlhttp://www.secuobs.com/revue/news/410284.shtml 2012-10-25 01:06:47 - Security Bloggers Network : We are re-launching one of our more popular white papers, Tokenization vs Encryption Options for Compliance The paper was originally written to close some gaps in our existing tokenization research coverage, and address the common questions http://www.secuobs.com/revue/news/407608.shtmlhttp://www.secuobs.com/revue/news/407608.shtml 2012-10-13 03:05:36 - New RFCs : 38KB This specification describes how to use bearer tokens in HTTP requests to access OAuth 20 protected resources Any party in possession of a bearer token a bearer can use it to get access to the associated resources without demonstrating possession of a cryptographic key To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport STANDARDS-TRACK http://www.secuobs.com/revue/news/405406.shtmlhttp://www.secuobs.com/revue/news/405406.shtml 2012-09-27 18:44:01 - Security Bloggers Network : People tend to associate tokenization with payment card data, debit and credit card numbers And while this has been the main use case for the technology, this is not the only use case http://www.secuobs.com/revue/news/402207.shtmlhttp://www.secuobs.com/revue/news/402207.shtml 2012-09-17 15:05:59 - Global Security Mag Online : L'économie du Web est là et bien là La première conséquence de la généralisation du réseau des réseaux est que les points d'entrée au SI se sont démultipliés, faisant exploser les périmètres traditionnels L'accès au SI représente donc le premier risque informatique majeur auquel l'entreprise doit faire face, et selon une étude de Mandiant en 2012, 100 pourcents des attaquants se sont introduits dans les systèmes en présentant des identités légitimes La généralisation de la mobilité et la transition vers une - Points de Vue http://www.secuobs.com/revue/news/400034.shtmlhttp://www.secuobs.com/revue/news/400034.shtml 2012-09-13 00:42:02 - Security Bloggers Network : CRIME Deflate Token Bruteforce INTRO Many people are talking about the new SSL TLS attack called CRIME brought to you by the same people who did BEAST Just as http://www.secuobs.com/revue/news/399299.shtmlhttp://www.secuobs.com/revue/news/399299.shtml 2012-08-20 18:48:29 - time to bleed by Joe Damato : If you enjoy this article, subscribe via RSS or e-mail and follow me on twitter the setup So, you have some sort of OSX app Maybe it s Twitterapp, TweetDeck, or something else that has a secret stored inside the binary You want to extract this secret, maybe because you want to impersonate the official client http://www.secuobs.com/revue/news/394647.shtmlhttp://www.secuobs.com/revue/news/394647.shtml 2012-08-03 00:37:27 - Security Bloggers Network : Token Manager 22 offers high-volume connection pooling and improved caching of static data http://www.secuobs.com/revue/news/391390.shtmlhttp://www.secuobs.com/revue/news/391390.shtml 2012-07-20 14:23:48 - Vigilance vulnérabilités publiques : Un attaquant authentifié peut obtenir le token LTPA d'un autre utilisateur d'une application WebSphere Application Server avec JAX-RPC et WS-Security activé http://www.secuobs.com/revue/news/388637.shtmlhttp://www.secuobs.com/revue/news/388637.shtml 2012-07-19 10:05:45 - SecurityTube.Net : In this video you will learn how to perform Cross-site request forgery for Token Bypass Have a look at this site - http otakku-udangblogspotin 2011 06 csrf-prompt-by-pass-and-csrf-token-byhtml WebGoat - WebGoat is a deliberately insecure J2EE web application designed to teach web application security concepts WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers The application is a realistic teaching environment, providing users with hints and code to further explain the lesson More Information - https wwwowasporg indexphp Category OWASP_WebGoat_Project Source - http codegooglecom p webgoat IMAGE http://www.secuobs.com/revue/news/388352.shtmlhttp://www.secuobs.com/revue/news/388352.shtml 2012-07-16 17:31:42 - Security Balance : Very interesting case of honeytokens deployment in this Network World article today Here's what they did Here's what happened We use Salesforcecom as the single repository for information about all of our current customers, potential sales opportunities, sales forecasts and more It's all highly sensitive material and not anything we'd like our competitors to get their hands on That's why one of our marketing executives was worried when she called me into her office earlier this week She had received a marketing email from one of our competitors The interesting thing about this email was that it was sent to all of the dummy, or honey token, email accounts that we had set up in Salesforce for testing purposes The implication was that the email had also gone to all of our legitimate customers and that this competitor somehow had gotten access to the information in our Salesforce deployment XaaS, cloud services in general are a fertile terrain for honeytokens deployment Don't forget them as tools to complement your DLP strategy Permalink Leave a comment IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/387508.shtmlhttp://www.secuobs.com/revue/news/387508.shtml 2012-07-16 14:34:03 - Network World on Security : A competitor suddenly seems to know a lot about the customers of our manager's company Did a former employee take sensitive data when he left http://www.secuobs.com/revue/news/387464.shtmlhttp://www.secuobs.com/revue/news/387464.shtml 2012-07-10 07:03:04 - SecurityPark.net : Some companies admit they lose up to 75pourcents of their authentication devices Millions of pounds are being wasted every year recovering and replacing lost physical authentication tokens as IT professionals admit the ongoing management costs are huge as users frequently lose them That's the findings of a survey recently conducted by SecurEnvoy, who found that a staggering 12pourcents of companies waste 'mo more http://www.secuobs.com/revue/news/386254.shtmlhttp://www.secuobs.com/revue/news/386254.shtml 2012-07-09 06:34:10 - BiometricNewsPortal.com : The World e-ID Congress conference will gather over 60 world-class experts in digital identity for a worldwide review of key e-ID programs, standards, policies, best practices while discussing the hottest innovations and technology trends Several Keynotes have been distinguished EU stakeholders to address in particular the new European ID and eS http://www.secuobs.com/revue/news/386035.shtmlhttp://www.secuobs.com/revue/news/386035.shtml 2012-06-29 19:53:06 - Reverse Engineering : submitted by igor_sk link comment http://www.secuobs.com/revue/news/384643.shtmlhttp://www.secuobs.com/revue/news/384643.shtml 2012-06-28 07:43:36 - Risky Business : Tagline Is the sky falling or is this a case of nothing to see Media URL http mediariskybiz RB244mp3Content HeadersContent Length 26534840 Content Type audio mpeg There's a lot of really interesting news this week Adam Boileau is back on deck at the top of the show to discuss shitty security at the Ecuadorian embassy in London, the new tool DroidSheep, DARPA's DERPA Lol attempts at securing the architectural mess that is Android, dudes going to prison, other dudes getting away with stuff and much, much more read more http://www.secuobs.com/revue/news/384311.shtmlhttp://www.secuobs.com/revue/news/384311.shtml 2012-06-27 16:29:46 - threatpost The First Stop for Security News : A group of international academic researchers has made a major advance in the efficiency of a known cryptographic attack on some kinds of crypto hardware, enabling them to extract sensitive keys from tokens such as RSA SecurID and Aladdin eToken devices within 20 minutes However, experts say that the attack does not represent a catastrophic failure for the tokens read more http://www.secuobs.com/revue/news/384114.shtmlhttp://www.secuobs.com/revue/news/384114.shtml 2012-06-27 15:03:55 - Network World on Security : A team of cryptographic researchers claim to have developed an attack method that can be used to recover secret keys in an acceptable time frame from cryptographic devices like smart cards, hardware security modules and USB security tokens http://www.secuobs.com/revue/news/384096.shtmlhttp://www.secuobs.com/revue/news/384096.shtml 2012-06-27 01:48:13 - Security Bloggers Network : This week, RSA has received many inquiries, press pickups, blog entries, and tweets regarding an alleged crack by scientific researchers of the RSA SecurID 800 authenticator This is an alarming claim and should rightly concern customers who have deployed the RSA SecurID 800 authenticator The only problem is that it s not true Much of the information being reported overstates the practical implications of the research, and confuses technical language in ways that make it impossible for security practitioners to assess risk associated with the products they use today accurately The initial result is time wasted by product users and the community at large, determining the true facts of the situation http://www.secuobs.com/revue/news/383952.shtmlhttp://www.secuobs.com/revue/news/383952.shtml 2012-06-26 18:54:44 - Help Net Security News : An international team of scientists that goes by the name of Team Prosecco claims to have devised attacks that manage to extract the secret cryptographic key from RSA's SecurID 800 token, as well as http://www.secuobs.com/revue/news/383875.shtmlhttp://www.secuobs.com/revue/news/383875.shtml 2012-06-25 18:19:47 - Ars Technica Risk Assessment : Scientists penetrate hardened security devices in under 15 minutes http://www.secuobs.com/revue/news/383604.shtmlhttp://www.secuobs.com/revue/news/383604.shtml 2012-06-20 05:37:46 - Security Bloggers Network : Metasploit is one of the many tools that can be used during a penetration test, and it actually consists of a whole suite of tools, that forms part of a complete attacking framework Metasploit is not the best tool for every job during a penetration test However it definitely has its place, and can be very handy if used appropriately For the purpose of this blog I will go through a scenario of steps that might be taken during a penetration test I will purposely use only Metasploit, doing so trying to demonstrate the potential that Metaspliot has It is http://www.secuobs.com/revue/news/382562.shtmlhttp://www.secuobs.com/revue/news/382562.shtml 2012-06-14 20:20:27 - Security Bloggers Network : This is the second in a series of posts on cloud encryption solutions Security vendor PerspecSys is tackling the cloud computing space from the SaaS angle PerspecSys believes that many organizations want to enjoy the speed and ease of deployment as well as the cost advantages that SaaS solutions such as Salesforcecom provide, but issues like data privacy, residency and Read more IMAGE http://www.secuobs.com/revue/news/381655.shtmlhttp://www.secuobs.com/revue/news/381655.shtml 2012-06-11 21:46:59 - Security Bloggers Network : If you are interested in discussing use cases and deployment models for Tokenization, you re in luck This Thursday June 14th at 1 00 PM Eastern I ll be providing a webcast on Tokenization in conjunction with Intel McAfee W http://www.secuobs.com/revue/news/380877.shtmlhttp://www.secuobs.com/revue/news/380877.shtml 2012-05-25 23:11:53 - Security Bloggers Network : Guest Blog Post by Dan Schiappa, Senior Vice President, Identity Data Protection As researchers from SensePost have recently demonstrated in their attack simulations on one type of RSA SecurID authenticator the RSA SecurID Software Token for Windows scrutiny of security methods, processes, and operating environments is a valuable exercise It can deliver benefit to the software industry and its ecosystem of vendors, security practitioners, and the users they protect in their organizations Ultimately it helps ensure better and safer products http://www.secuobs.com/revue/news/377868.shtmlhttp://www.secuobs.com/revue/news/377868.shtml 2012-05-24 11:47:27 - extern blog SensePost : There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token A number of readers had questions about certain aspects of the research, and I thought I'd clear up a number of concerns that people have The research pointed out two findings the first of which is in fact a design vulnerability in RSA software's Token Binding mechanism The second finding is another design issue that affects not only RSA software token but also any other software, which generates pseudo-random numbers from a secret seed running on traditional computing devices such as laptops, tablets or mobile phones The correct way of performing this has been approached with hardware tokens, which are often tamper-resistant Let me first explain one of the usual use cases of RSA software token deployments 1 The user applies for a token via a RSA self-service console or a custom web form 2 The user receives an email which contains the software token download URL , once the software is installed, they should open the program and then choose Token Storage Devices where they would read the Device Serial Number and reply back with this device serial number to complete their token request 3 The second email will contain an attachment of the user's personal RSA SecurID Token Configuration file, which they will import to the RSA software token This configuration file is bound to the users' laptop or PC 4 The third email contains an initial password to activate the token An attacker who is able to capture the victim's configuration file and initial password The security of this initial password is subject to future research at SensePost and will be released in the future would be able to import it into his token using the described method to bypass the token binding This attack can be launched remotely and does not require a fully compromised machine as RSA have stated The second finding, as I mentioned before, is a known issue with all software tokens Our aim at SensePost was to demonstrate how easy hard it would be for an attacker, who has already compromised a system, to extract RSA token secrets and clone them on another machine A number of people commented on the fact that we did not disclose the steps required to update the LSA secrets on the cloned system Whilst this technique is relatively easy to do, it is not required for this attack to function If a piece of malware was written for this attack, it does NOT have to grab the DPAPI blobs and replicate them on the attackers machine It can simply hook into the CryptUnprotectData and steal the decrypted blobs once the RSA software token starts execution The sole reason I included the steps to replicate the DPAPI on another machine, was that this research was performed during a real world assessment, which was time-limited We chose to demonstrate the attack to the client by replicating the DPAPI blobs instead of developing a proof of concept malcode A real-world malware targeting RSA software tokens would choose the API hooking method or a similar approach to grab the decrypted seed and post it back to the attacker I'm also curious to know whether software token running on smartphones might be vulnerable The Token Binding bypass attack would be successful on these devices, but with a different device serial ID calculation formula However, the application sandboxing model deployed on most modern smartphone operating systems, would make it more difficult for a malicious application, deployed on the device, to extract the software token's secret seeds Obviously, if an attacker has physical access to a device for a short time, they would be able to extract those secrets This is in contrast to tamper-proof hardware tokens or smart cards, which by design provide a very good level of protection, even if they are in the hands of an attacker for a long time Are the shortcomings you document particular to RSA or applicable to probably applicable to Windows software tokens from rival vendors too All software tokens found to be executing a pseudo-random number generation algorithm that is based on a secret value , are vulnerable to this type of cloning attack, not because of algorithms vulnerabilities, but simply because the software is running on an operating system and storage that is not designed to be tamper-resistance like modern smart cards, TPM chips and secure memory cards One solution for this might be implementing a trusted execution environment into CPUs, which has been done before for desktop and laptops by Intel Intel TXT and AMD ARM's trustzone technology is a similar implementation, which targets mobile phone devices and secures mobile software's from logical and a range of physical attacks http://www.secuobs.com/revue/news/377409.shtmlhttp://www.secuobs.com/revue/news/377409.shtml 2012-05-22 02:04:04 - Ars Technica Risk Assessment : The attack bypasses protections built in RSA's 2-factor authentication system http://www.secuobs.com/revue/news/376809.shtmlhttp://www.secuobs.com/revue/news/376809.shtml 2012-05-17 14:58:01 - extern blog SensePost : Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms Obviously, mobile phones would not be able to provide the level of tamper-resistance that hardware tokens would, but I was interested to know how easy hard it could be for a potential attacker to clone RSA SecureID software tokens I used the Windows version of the RSA SecurID Software Token for Microsoft Windows version 410 for my analysis and discovered the following issues Device serial number of tokens can be calculated by a remote attacker Every instance of the installed SecurID software token application contains a hard drive plug-in implemented in tokenstoreplugindll that has a unique device serial number This serial number can be used for Device Binding and the RSA documentation defines it as follows Before the software token is issued by RSA Authentication Manager, an additional extension attribute can be added to the software token record to bind the software token to a specific devicedevice serial number is used to bind a token to a specific device If the same user installs the application on a different computer, the user cannot import software tokens into the application because the hard drive plug-in on the second computer has a different device serial number from the one to which the user's tokens are bound Reverse engineering the Hard-Disk plugin tokenstoreplugindll indicated that the device serial number is dependent on the system's host name and current user's windows security identifier SID An attacker, with access to these values, can easily calculate the target token's device serial number and bypass the above mentioned protection Account SIDs can be enumerated in most of the Microsoft active directory based networks using publicly available tools, if the enumeration of SAM accounts and shares security setting was not set to disabled Host names can be easily resolved using internal DNS or Microsoft RPC The following figures show the device serial number generation code The SecureID device serial number calculation can be represented with the following formula device_serial_number Left SHA1 host_name user_SID RSA Copyright 2008 ,10 Token's copy protection The software token information, including the secret seed value, is stored in a SQLite version 3 database file named RSASecurIDStorage under the pourcentsUSERPROFILEpourcents Local Settings Application Data RSA RSA SecurID Software Token Library directory This file can be viewed by any SQLite database browser, but sensitive information such as the checksum and seed values are encrypted RSA documentation states that this database file is both encrypted and copy protected RSA SecurID Software Token for Windows uses the following data protection mechanisms to tie the token database to a specific computer Binding the database to the computer's primary hard disk drive Implementing the Windows Data Protection API DPAPI These mechanisms ensure that an intruder cannot move the token database to another computer and access the tokens Even if you disable copy protection, the database is still protected by DPAPI The RSASecurIDStorage database file has two tables PROPERTIES and TOKENS The DatabaseKey and CryptoChecksum rows found in the PROPERTIES tables were found to be used for copy protection purpose as shown in the figure below Reverse engineering of the copy protection mechanism indicated that The CryptoChecksum value is encrypted using the machine's master key, which can only be decrypted on the same computer system, unless the attacker can find a way to import the machine key and other supporting data to their machine The DatabaseKey is encrypted using the current logged-on user's master key and provides token binding to that user account Previous research on the Microsoft Windows DPAPI internals has made offline decryption of the DPAPI protected data possible This means that if the attacker was able to copy the RSA token database file along with the encryption master keys to their system for instance by infecting a victim's machine with a rootkit , then it would be possible to decrypt the token database file on their machine The detailed attack steps to clone a SecurID software token by copying the token database file from a victim's system are as follows 1 Copy the token database file, RSASecurIDStorage, from the user profile directory 2 Copy the user's master key from pourcentsPROFILEDIRpourcents Application Data Microsoft Protect pourcentsSIDpourcents the current master key's GUID can be read from Preferred file as shown in the figure below 3 Copy the machine's master key from the pourcentsWINDIRpourcents system32 Microsoft Protect directory Microsoft Windows protects machine keys against tampering by using SHA1 hash values, which are stored and handled by the Local Security Authority Subsystem Service LSASS process in Microsoft Windows operating systems The attacker should also dump these hash values from LSA using publicly available tools like lsadump Having all the required master keys and token database file, install and deploy a windows machine and change the machine and user SIDs to the victim's system SID by using available tools such as newSID Overwrite the token database file, user and machine master keys with the ones copied from victim's system You would also need to find a way to update the DPAPI_SYSTEM value in LSA secrets of the Windows machine Currently, this is the only challenge that I was not able to solve , but it should be possible to write a tool similar to lsadump which updates LSA secrets When the above has been performed, you should have successfully cloned the victim's software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim's token In order to demonstrate the possibility of the above mentioned attack, I installed and activated token A and token B on two separate windows XP virtual machines and attempted to clone token B on the virtual machine that was running token A Taking the above steps, token B was successfully cloned on the machine running token A as shown in the following figures In order to counter the aforementioned issues, I would recommend the use of trusted platform module TPM bindings, which associates the software token with the TPM chip on the system TPM chip for mobiles there are vendors working on it http://www.secuobs.com/revue/news/376109.shtmlhttp://www.secuobs.com/revue/news/376109.shtml 2012-04-19 07:44:26 - Help Net Security News : SecurEnvoy revealed details of its latest release that gives users full flexibility of the device they use, while ensuring complete security to the organization At the click of a button users can http://www.secuobs.com/revue/news/370807.shtmlhttp://www.secuobs.com/revue/news/370807.shtml 2012-03-21 23:32:04 - Security Bloggers Network : Author's Note This is the 4th in a multi-part series on the topic of Protecting Privileged Domain Accounts My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believ http://www.secuobs.com/revue/news/365258.shtmlhttp://www.secuobs.com/revue/news/365258.shtml 2012-03-21 17:37:08 - Vigilance vulnérabilités publiques : Un attaquant peut provoquer un débordement dans le RSA SecurID Software Token Converter, afin de mener un déni de service ou de faire exécuter du code http://www.secuobs.com/revue/news/365125.shtmlhttp://www.secuobs.com/revue/news/365125.shtml 2012-03-19 23:37:16 - Security Bloggers Network : I want to announce a couple webcasts I ll be on this week regarding tokenization one will be focused on the grey areas of compliance with tokenization, the other will offer buyers a list of key evaluation criteria The first will be Tue http://www.secuobs.com/revue/news/364724.shtmlhttp://www.secuobs.com/revue/news/364724.shtml 2012-03-07 06:01:12 - SecurityPark.net : Bring your own device strategies fuel demand In what is a difficult trading period for many companies globally, SecurEnvoy instead filed its most profitable year on record, growing by 55pourcents, in 2011 The Company has expanded its global reach from 42 countries to 47 through its successful partner programme - most recently in Russia, Czech Republic, USA, Thailand and Hong Kong The success doesn't more http://www.secuobs.com/revue/news/361860.shtmlhttp://www.secuobs.com/revue/news/361860.shtml 2012-03-02 18:41:30 - Security Bloggers Network : Windows Identity Foundation WIF is vulnerable to replay attacks of security tokens in its default configuration The Replay Detection article on MSDN presents a good example of how things can go wrong without the replay detection why do http://www.secuobs.com/revue/news/361114.shtmlhttp://www.secuobs.com/revue/news/361114.shtml 2012-02-20 20:00:13 - Security Bloggers Network : Just a quick announcement that this week on Wednesday I ll be doing a webcast on how to look for ways to reduce PCI-DSS scope and audit costs with Tokenization This will cover the meaty-part of the Tokenization Guidance paper from last y http://www.secuobs.com/revue/news/358861.shtmlhttp://www.secuobs.com/revue/news/358861.shtml 2012-02-16 00:02:26 - Security Bloggers Network : read more http://www.secuobs.com/revue/news/358107.shtmlhttp://www.secuobs.com/revue/news/358107.shtml 2012-02-02 09:07:14 - www.leastprivilege.com : The scenario described in my last post works because of the design around HTTP modules in ASPNET Authentication related modules like Forms authentication and WIF WS-Fed Sessions typically subscribe to three events in the pipeline AuthenticateRequest PostAuthenticateRequest for pre-processing and EndRequest for post-processing like making redirects to a login page In the pre-processing stage it is the modules job to determine the identity of the client based on incoming HTTP details like a header, cookie, form post and set HttpContextUser and ThreadCurrentPrincipal The actual page in the ExecuteHandler event sees the identity that the last module has set So in our case there are three modules in effect FormsAuthenticationModule AuthenticateRequest, EndRequest WSFederationAuthenticationModule AuthenticateRequest, PostAuthenticateRequest, EndRequest SessionAuthenticationModule AuthenticateRequest, PostAuthenticateRequest So let s have a look at the different scenario we have when mixing Forms auth and WS-Federation Anoymous request to unprotected resource This is the easiest case Since there is no WIF session cookie or a FormsAuth cookie, these modules do nothing The WSFed module creates an anonymous ClaimsPrincipal and calls the registered ClaimsAuthenticationManager if any to transform it The result by default an anonymous ClaimsPrincipal gets set IMAGE Anonymous request to FormsAuth protected resource This is the scenario where an anonymous user tries to access a FormsAuth protected resource for the first time The principal is anonymous and before the page gets rendered, the Authorize attribute kicks in The attribute determines that the user needs authentication and therefor sets a 401 status code and ends the request Now execution jumps to the EndRequest event, where the FormsAuth module takes over The module then converts the 401 to a redirect 302 to the forms login page If authentication is successful, the login page sets the FormsAuth cookie IMAGE FormsAuth authenticated request to a FormsAuth protected resource Now a FormsAuth cookie is present, which gets validated by the FormsAuth module This cookie gets turned into a GenericPrincipal FormsIdentity combination The WS-Fed module turns the principal into a ClaimsPrincipal and calls the registered ClaimsAuthenticationManager The outcome of that gets set on the context IMAGE Anonymous request to STS protected resource This time the anonymous user tries to access an STS protected resource a controller decorated with the RequireTokenAuthentication attribute The attribute determines that the user needs STS authentication by checking the authentication type on the current principal If this is not Federation, the redirect to the STS will be made After successful authentication at the STS, the STS posts the token back to the application using WS-Federation syntax IMAGE Postback from STS authentication After the postback, the WS-Fed module finds the token response and validates the contained token If successful, the token gets transformed by the ClaimsAuthenticationManager, and the outcome is a stored in a session cookie, and b set on the context IMAGE STS authenticated request to an STS protected resource This time the WIF Session authentication module kicks in because it can find the previously issued session cookie The module re-hydrates the ClaimsPrincipal from the cookie and sets it IMAGE FormsAuth and STS authenticated request to a protected resource This is kind of an odd case eg the user first authenticated using Forms and after that using the STS This time the FormsAuth module does its work, and then afterwards the session module stomps over the context with the session principal In other words, the STS identity wins IMAGE What about roles A common way to set roles in ASPNET is to use the role manager feature There is a corresponding HTTP module for that RoleManagerModule that handles PostAuthenticateRequest Does this collide with the above combinations No it doesn t When the WS-Fed module turns existing principals into a ClaimsPrincipal like it did with the FormsIdentity , it also checks for RolePrincipal which is the principal type created by role manager , and turns the roles in role claims Nice But as you can see in the last scenario above, this might result in unnecessary work, so I would rather recommend consolidating all role work and other claims transformations into the ClaimsAuthenticationManager In there you can check for the authentication type of the incoming principal and act accordingly HTH IMAGE http://www.secuobs.com/revue/news/355464.shtmlhttp://www.secuobs.com/revue/news/355464.shtml 2012-02-02 06:19:28 - www.leastprivilege.com : I recently had the task to find out how to mix ASPNET Forms Authentication with WIF s WS-Federation The FormsAuth app did already exist, and a new sub-directory of this application should use ADFS for authentication Minimum changes to the existing application code would be a plus Since the application is using ASPNET MVC this was quite easy to accomplish WebForms would be a little harder, but still doable I will discuss the MVC solution here To solve this problem, I made the following changes to the standard MVC internet application template Added WIF s WSFederationAuthenticationModule and SessionAuthenticationModule to the modules section Add a WIF configuration section to configure the trust with ADFS Added a new authorization attribute This attribute will go on controller that demand ADFS or STS in general authentication The attribute logic is quite simple it checks for authenticated users and additionally that the authentication type is set to Federation If that s the case all is good, if not, the redirect to the STS will be triggered public   class   RequireTokenAuthenticationAttribute AuthorizeAttribute protected   override   bool AuthorizeCore HttpContextBase httpContext if httpContextUserIdentityIsAuthenticated httpContextUserIdentityAuthenticationTypeEquals WIF AuthenticationTypes Federation, StringComparison OrdinalIgnoreCase return   true return   false protected   override   void HandleUnauthorizedRequest AuthorizationContext filterContext             do the redirect to the STS var message FederatedAuthentication WSFederationAuthenticationModuleCreateSignInRequest passive , filterContextHttpContextRequestRawUrl, false filterContextResult new   RedirectResult messageRequestUrl That s it If you want to know why this works and a possible gotcha read my next post IMAGE http://www.secuobs.com/revue/news/355449.shtmlhttp://www.secuobs.com/revue/news/355449.shtml 2012-01-17 15:01:04 - Global Security Mag Online : SafeNet, Inc annonce la disponibilité d'une nouvelle solution de protection des transactions et des identités, qui traite les multiples niveaux de risque associés aux transactions financières et bancaires en ligne La nouvelle solution eToken 3500 de SafeNet est un dispositif innovant de signature électronique et d'authentification forte sous la forme d'un Token, permettant aux organismes de services financiers de trouver le juste équilibre entre atténuation du risque, rentabilité et confort - Produits http://www.secuobs.com/revue/news/352455.shtmlhttp://www.secuobs.com/revue/news/352455.shtml 2012-01-14 21:33:49 - the electric stranger : RadioTrueNorth_14-Jan-2012-1442_15520MHzmp3 Listen on Posterous Wewt, was accidentally recording when the shout out came Thanks RTN, and Thanks Token for making your SDR available Tweet http://www.secuobs.com/revue/news/352135.shtmlhttp://www.secuobs.com/revue/news/352135.shtml 2012-01-13 05:44:29 - SecurityTube.Net : Backtrack 5 R1 , Metasploit and Stolen Tokens in Active Directory AD Domain Special tnx vivek , DM IMAGE http://www.secuobs.com/revue/news/351860.shtmlhttp://www.secuobs.com/revue/news/351860.shtml 2012-01-11 20:23:16 - Security Bloggers Network : will be implementing an integrated point-to-point encryption payment solution from Merchant Link, Equinox and Voltage Security http://www.secuobs.com/revue/news/351545.shtmlhttp://www.secuobs.com/revue/news/351545.shtml 2012-01-08 18:16:57 - SecurityTube.Net : This is Part 9 of the Security Metasploit Framework Expert SMFE course material You can begin by watching Part 1 here http wwwsecuritytubenet video 2556 Enjoy Certifications page http wwwsecuritytubenet cert-list In this video, we will look at what Windows tokens are and how a hacker can steal tokens to impersonate the identity of another user on either the local machine or network wide We will explore the incognito extension to understand how to steal and use tokens on a compromised box in the post exploitation phase This is a very important concept, so please pay attention As always, your comments are well appreciated IMAGE http://www.secuobs.com/revue/news/350866.shtmlhttp://www.secuobs.com/revue/news/350866.shtml 2011-12-30 14:34:19 - Vigilance vulnérabilités publiques : Un attaquant peut créer une DLL illicite et inviter la victime à ouvrir un fichier Software Token dans le même répertoire, afin de faire exécuter du code http://www.secuobs.com/revue/news/349592.shtmlhttp://www.secuobs.com/revue/news/349592.shtml 2011-12-29 23:34:24 - Dark Reading All Stories : When software tokens are as strong as hardware ones http://www.secuobs.com/revue/news/349506.shtmlhttp://www.secuobs.com/revue/news/349506.shtml 2011-12-20 23:21:12 - Security Bloggers Network : Host Michelle Adams-Dixon talks with Liz Robinson, Senior Product Marketing Manager for RSA about tokenization an up and coming alternative to more traditional means of data protection http://www.secuobs.com/revue/news/348302.shtmlhttp://www.secuobs.com/revue/news/348302.shtml 2011-12-16 15:49:20 - Les derniers documents du CERTA. : Une vulnérabilité dans RSA SecurID Software Token 41 permet à une personne malveillante d'exécuter du code arbitraire à distance http://www.secuobs.com/revue/news/347591.shtmlhttp://www.secuobs.com/revue/news/347591.shtml 2011-12-13 08:22:52 - Security Bloggers Network : We are pleased to announce the availability of our latest white paper Tokenization Guidance How to Reduce PCI Compliance Costs It discusses the dos and don ts of replacing credit card data with tokens, to improve security while reduci http://www.secuobs.com/revue/news/346800.shtmlhttp://www.secuobs.com/revue/news/346800.shtml 2011-12-12 20:20:25 - Security Bloggers Network : Introduction In the payment card industry there are a set of security standards and best practices that are defined by the Payment Card Industry Security Standards Council PCI with a goal of protecting card holder data Entities such as brick-and-mortar merchants, e-commerce merchants, payment card processors, and acquirers are all required to follow the standards and best practices defined by PCI Protection of card holder data includes encryption and tokenization In this article we shall focus on tokenization, in particular the concept of a card data vault and how the CAP theorem reduces to the choice of giving up consistency http://www.secuobs.com/revue/news/346709.shtmlhttp://www.secuobs.com/revue/news/346709.shtml 2011-12-12 14:30:04 - Help Net Security News : Almost a quarter of organizations, 23pourcents, have suffered a security breach as a result of identity fraud which was linked to a lost or stolen authentication device, according to Entrust The survey, w http://www.secuobs.com/revue/news/346626.shtmlhttp://www.secuobs.com/revue/news/346626.shtml 2011-11-16 09:46:11 - www.leastprivilege.com : In the previous post I showed how token based authentication can be implemented for WCF HTTP based services Authentication is the process of finding out who the user is this includes anonymous users Then it is up to the service to decide under which circumstances the client has access to the service as a whole or individual operations This is called authorization By default my framework does not allow anonymous users and will deny access right in the service authorization manager You can however turn anonymous access on that means technically, that instead of denying access, an anonymous principal is placed on ThreadCurrentPrincipal You can flip that switch in the configuration class that you can pass into the service host factory var configuration new   WebTokenWebServiceHostConfiguration AllowAnonymousAccess true But this is not enough, in addition you also need to decorate the individual operations to allow anonymous access as well, eg AllowAnonymousAccess public   string GetInfo Inside these operations you might have an authenticated or an anonymous principal on ThreadCurrentPrincipal, and it is up to your code to decide what to do Side note Being a security guy, I like this opt-in approach to anonymous access much better that all those opt-out approaches out there like the Authorize attribute or this Claims-based Authorization Since there is a ClaimsPrincipal available, you can use the standard WIF claims authorization manager infrastructure either declaratively via ClaimsPrincipalPermission or programmatically see also here ClaimsPrincipalPermission SecurityAction Demand, Resource Claims , Operation View public   ViewClaims GetClientIdentity return   new   ServiceLogic GetClaims In addition you can also turn off per-request authorization see here for background via the config and just use the domain specific instrumentation While the code is not 100pourcents done you can download the current solution here HTH Wanna learn more about federation, WIF, claims, tokens etc Click here IMAGE http://www.secuobs.com/revue/news/340935.shtmlhttp://www.secuobs.com/revue/news/340935.shtml 2011-11-15 18:33:50 - www.leastprivilege.com : If you wondered how a client would have to look like to work with the authentication framework, it is pretty straightfoward 1 Request a token 2 Put that token on the authorization header along with a registered scheme and make the service call eg var oauth2 new   OAuth2Client oauth2Address var swt oauth2RequestAccessToken username , password , _baseAddressAbsoluteUri var client new   HttpClient BaseAddress _baseAddress clientDefaultRequestHeadersAuthorization new   AuthenticationHeaderValue Bearer , swt var response clientGet identity responseEnsureSuccessStatusCode HTH IMAGE http://www.secuobs.com/revue/news/340799.shtmlhttp://www.secuobs.com/revue/news/340799.shtml 2011-11-15 17:42:05 - www.leastprivilege.com : This post shows some of the implementation techniques for adding token and claims based security to HTTP REST services written with WCF For the theoretical background, see my previous post Disclaimer The framework I am using building here is not the only possible approach to tackle the problem Based on customer feedback and requirements the code has gone through several iterations to a point where we think it is ready to handle most of the situations Goals and requirements The framework should be able to handle typical scenarios like username password based authentication, as well as token based authentication The framework should allow adding new supported token types Should work with WCF web programming model either self-host or IIS hosted Service code can rely on an IClaimsPrincipal on ThreadCurrentPrincipal that describes the client using claims-based identity Implementation overview In WCF the main extensibility point for this kind of security work is the ServiceAuthorizationManager It gets invoked early enough in the pipeline, has access to the HTTP protocol details of the incoming request and can set ThreadCurrentPrincipal The job of the SAM is simple 1 Check the Authorization header of the incoming HTTP request 2 Check if a registered token more on that later is present 3 If yes, validate the token using a security token handler, create the claims principal including claims transformation and set ThreadCurrentPrincipal 4 If no, set an anonymous principal on ThreadCurrentPrincipal By default, anonymous principals are denied access so the request ends here with a 401 more on that later To wire up the custom authorization manager you need a custom service host which in turn needs a custom service host factory The full object model looks like this IMAGE Token handling A nice piece of existing WIF infrastructure are security token handlers Their job is to serialize a received security token into a CLR representation, validate the token and turn the token into claims The way this works with WS-Security based services is that WIF passes the name namespace of the incoming token to WIF s security token handler collection This in turn finds out which token handler can deal with the token and returns the right instances For HTTP based services we can do something very similar The scheme on the Authorization header gives the service a hint how to deal with an incoming token So the only missing link is a way to associate a token handler or multiple token handlers with a scheme and we are almost done WIF already includes token handler for a variety of tokens like username password or SAML 11 20 The accompanying sample has a implementation for a Simple Web Token SWT token handler, and as soon as JSON Web Token are ready, simply adding a corresponding token handler will add support for this token type, too All supported schemes token types are organized in a WebSecurityTokenHandlerCollectionManager and passed into the host factory host authorization manager Adding support for basic authentication against a membership provider would eg look like this in globalasax var manager new   WebSecurityTokenHandlerCollectionManager managerAddBasicAuthenticationHandler username, password Membership ValidateUser username, password Adding support for Simple Web Tokens with a scheme of Bearer the current OAuth2 scheme requires passing in a issuer, audience and signature verification key managerAddSimpleWebTokenHandler Bearer , http identityserverthinktecturecom trust initial , https roadie webservicesecurity rest , WFD7i8XRHsrUPEdwSisdHoHy08W3lM16Bk6SCT8ht6A In some situations, SAML token may be used as well The following configures SAML support for a token coming from ADFS2 var registry new   ConfigurationBasedIssuerNameRegistry registryAddTrustedIssuer d1 c5 b1 25 97 d0 36 94 65 1c e2 64 fe 48 06 01 35 f7 bd db , ADFS var adfsConfig new   SecurityTokenHandlerConfiguration adfsConfigAudienceRestrictionAllowedAudienceUrisAdd new   Uri https roadie webservicesecurity rest adfsConfigIssuerNameRegistry registry adfsConfigCertificateValidator X509CertificateValidator None token decryption read from config adfsConfigServiceTokenResolver IdentityModelConfiguration ServiceConfigurationCreateAggregateTokenResolver              managerAddSaml11SecurityTokenHandler SAML , adfsConfig Transformation The custom authorization manager will also try to invoke a configured claims authentication manager This means that the standard WIF claims transformation logic can be used here as well And even better, can be also shared with eg a surrounding web application Error handling A WCF error handler takes care of turning access denied faults into 401 status codes and a message inspector adds the registered authentication schemes to the outgoing WWW-Authenticate header when a 401 occurs The next post will conclude with authorization as well as the source code download Wanna learn more about federation, WIF, claims, tokens etc Click here IMAGE http://www.secuobs.com/revue/news/340780.shtmlhttp://www.secuobs.com/revue/news/340780.shtml 2011-11-15 10:39:31 - www.leastprivilege.com : WIF as it exists today is optimized for web applications passive WS-Federation and SOAP based services active WS-Trust While there is limited support for WCF WebServiceHost based services for standard credential types like Windows and Basic , there is no ready to use plumbing for RESTful services that do authentication based on tokens This is not an oversight from the WIF team, but the REST services security world is currently rapidly changing and that s by design There are a number of intermediate solutions, emerging protocols and token types, as well as some already deprecated ones So it didn t make sense to bake that into the core feature set of WIF But after all, the F in WIF stands for Foundation So just like the WIF APIs integrate tokens and claims into other hosts, this is also easily possible with RESTful services Here s how HTTP Services and Authentication Unlike SOAP services, in the REST world there is no over specified security framework like WS-Security Instead standard HTTP means are used to transmit credentials and SSL is used to secure the transport and data in transit For most cases the HTTP Authorize header is used to transmit the security token this can be as simple as a username password up to issued tokens of some sort The Authorize header consists of the actual credential consider this opaque from a transport perspective as well as a scheme The scheme is some string that gives the service a hint what type of credential was used eg Basic for basic authentication credentials HTTP also includes a way to advertise the right credential type back to the client, for this the WWW-Authenticate response header is used IMAGE So for token based authentication, the service would simply need to read the incoming Authorization header, extract the token, parse and validate it After the token has been validated, you also typically want some sort of client identity representation based on the incoming token This is regardless of how technology-wise the actual service was built In ASPNET MVC you could use an HttpModule or an ActionFilter In todays WCF, you would use the ServiceAuthorizationManager infrastructure The nice thing about using WCF native extensibility points is that you get self-hosting for free This is where WIF comes into play WIF has ready to use infrastructure built-in that just need to be plugged into the corresponding hosting environment Representation of identity based on claims This is a very natural way of translating a security token and again I mean this in the widest sense could be also a username password into something our applications can work with Infrastructure to convert tokens into claims called security token handler Claims transformation Claims-based authorization So much for the theory In the next post I will show you how to implement that for WCF including full source code and samples Wanna learn more about federation, WIF, claims, tokens etc Click here IMAGE http://www.secuobs.com/revue/news/340690.shtmlhttp://www.secuobs.com/revue/news/340690.shtml 2011-11-05 01:53:14 - Security Bloggers Network : Pretty straightforward little pattern here that will run a post module against all open sessions This RC file assumes that you've got a bunch of open sessions, and now you want to go searching for a domain admin token use post windows gather enum_ http://www.secuobs.com/revue/news/338974.shtmlhttp://www.secuobs.com/revue/news/338974.shtml 2011-11-04 18:55:58 - Security Bloggers Network : So far in this series on tokenization guidance for protecting payment data, we have covered the deficiencies with the PCI provided supplement, offered specific advice for merchants who want to reduce audit scope, and provided some specific tips http://www.secuobs.com/revue/news/338919.shtmlhttp://www.secuobs.com/revue/news/338919.shtml 2011-11-01 20:40:10 - Security Bloggers Network : For this portion of our tokenization guidance series, I want to offer some advice for the auditor In this context the auditor is either an internal auditor going through one of the self assessment questionnaires, or an external auditor validat http://www.secuobs.com/revue/news/338098.shtmlhttp://www.secuobs.com/revue/news/338098.shtml 2011-10-28 08:25:24 - Help Net Security News : Facebook spammers have already used a number of different approaches to make users inadvertently propagate their scams, and most of them fall into the social engineering category A particularly in http://www.secuobs.com/revue/news/337402.shtmlhttp://www.secuobs.com/revue/news/337402.shtml 2011-10-27 15:56:06 - Symantec Connect Security Response Billets : In the last few months we have seen a variety of spam campaigns propagating on social networking websites Most of these attacks use some flavor of social engineering tactics Every now and then, we see some innovative social engineering techniques used by attackers Here is one such technique that tricks the victim into revealing their all-important Facebook Anti-CSRF token Cross-site Request Forgery attacks A Cross-site Request Forgery CSRF is a type of attack in which attackers can re-use an already authenticated session to a website to perform unwanted actions on that website without the user s knowledge or consent For example, let s say that a user is logged into his or her banking website If this bank s website suffers from a CSRF weakness, then another malicious website say, badcom can instruct the user s browser to navigate to the bank s webpage to perform actions, such as transferring funds, without the user s knowledge For the browser and the bank s website, it is equivalent to the user opening another tab and performing these actions themselves Anti-CSRF tokens are one of the many ways employed by websites to prevent CSRF attacks Anti-CSRF tokens are usually one-time randomly generated tokens generated by the website These tokens are submitted as hidden input parameters in Web forms The tokens are validated at the back-end of the website to rule out any CSRF attacks underway when a form or action is posted In order to generate a CSRF token, the attackers need to know or guess the Anti-CSRF token, which makes CSRF attacks hard to execute This blog details techniques used by the attacker to get access to this Anti-CSRF token There are three stages to this attack Stage 1 Falling for the scam It starts with an enticing message, like the one below, appearing in the user s newsfeed from the user s friend Stage 2 Tricking the user to send their FaceBook Anti-CSRF token Upon clicking this link, the user is directed to a fake YouTube Web page as shown below In order to view the video, the user is prompted to verify their identity Step 1 of this verification process involves generating a verification code by clicking the Generate Code link The next and final step is Copying and-pasting the code obtained in step 1 into the verification text box and clicking the Confirm button Let s take a closer look at both of these steps The following screenshot is the JavaScript snippet for this Web page The Generate Code link is actually a request to 0facebookcom ajax dtsgphp This request will return JavaScript code similar to the code shown in the screenshot below Many browsers like Chrome and Firefox support view Source URI scheme This means that any URL supplied with view-source as the URI handler will open up the source code of that page So clicking the Generate Code link will display the data JavaScript returned from the request to dtsgphp in a View Source browser window The user is then prompted to copy and paste this JavaScript code into the Insert Verification Code textbox and then click the Confirm box So what is so special about this JavaScript Code The answer is the Anti-CSRF token called fb_dtsg In order to prevent CSRF attacks, Facebook pages have a unique per session token called fb_dtsg The request to facebookcom ajax dtsgphp returns JavaScript code containing the fb_dtsg token The attacker is tricking the victim into revealing his or her Facebook Anti-CSRF token In this case the attacker s third party site receives this Anti-CSRF token when the user copy and pastes the JavaScript code and clicks Confirm The attacker is now in a position to perform CSRF attacks Stage 3 CSRF attack Malicious links silently posted to the user s wall The picture below details the JavaScript code returned by the attacker upon clicking the Confirm button This code executes a CSRF attack to post a malicious link on the user s Facebook page using the CSRF token that was stolen in stage 2 The thing to note here is that the post_form_id value is irrelevant for the success of this attack In fact, the attacker decided to randomly generate a post_form_id value in the code above Comparison to self-XSS copy and paste attacks This attack technique is similar in nature to the Self XSS copy and paste attacks that we saw on the Facebook platform this summer In the previous Self-XSS attacks, the attacker managed to trick the user into copying and pasting malicious JavaScript code into the user s browser The malicious JavaScript code ran in the same origin context as Facebookcom , and so it was able to extract token values such as the fb_dtsg by parsing the DOM These extracted token values were later used to post malicious spam messages to the user and the user s friends However, in this latest attack, instead of tricking the victim to execute JavaScript code whilst accessing their Facebook account, the attacker is tricking the victim into sending his or her Anti-CSRF token to the attacker With the Anti-CSRF token in hand, the attacker then executes a CSRF attack to propagate scam messages Conclusion Although by and large we haven t seen attackers propagate malicious browser exploits and drive-by-downloads using these spam campaigns, we conjecture that attackers might naturally gravitate towards this in the near future Furthermore, attackers are using some really innovative social engineering techniques to trick their victims We advise users to keep their security software up-to-date and not click on any links that seem suspicious It's worth noting that we ve reached out to Facebook and they inform us that they've had great cooperation from browser vendors to fix these issues and will continue to work with them on these issues They also stated that they try to prevent this behavior by automated monitoring of accounts for suspicious behavior http://www.secuobs.com/revue/news/337217.shtmlhttp://www.secuobs.com/revue/news/337217.shtml 2011-10-20 06:45:43 - Security Bloggers Network : The goal with tokenization is to reduce scope of the PCI database security assessment In essence this means a reduction in the time, cost and complexity for compliance auditing We want to remove the need to inspect every system for it s http://www.secuobs.com/revue/news/335890.shtmlhttp://www.secuobs.com/revue/news/335890.shtml 2011-10-13 07:52:33 - Security Bloggers Network : The PCI DSS Tokenization Guidelines Information Supplement which I will refer to as the supplement for the remainder of this series is intended to address how tokenization may impact Payment Card Industry PCI Dat http://www.secuobs.com/revue/news/334500.shtmlhttp://www.secuobs.com/revue/news/334500.shtml 2011-10-11 00:41:18 - Security Bloggers Network : Tokenization Guidance I have wanted to write this post since the middle of August Every time I started writing another phone phone call came in from a merchant, payment processor, technology vendor, or someone loosely associated with a Paymen http://www.secuobs.com/revue/news/333927.shtmlhttp://www.secuobs.com/revue/news/333927.shtml 2011-10-03 23:20:08 - Global Security Mag Online : Bien que l'on ne connaisse pas encore toutes les conséquences des récentes failles de sécurité des Tokens, plusieurs études ont confirmé que ces dispositifs peuvent être utilisés par les pirates informatiques pour réaliser des attaques Pour aider les entreprises soucieuses de la sécurité de leurs Systèmes d'Informations, PhoneFactor offre un programme de remplacement des Tokens Programme de remplacement des Tokens SecurID par PhoneFactor Remises Additionnelles et Tarifs Spéciaux Assistance - Business http://www.secuobs.com/revue/news/332422.shtmlhttp://www.secuobs.com/revue/news/332422.shtml 2011-09-28 14:41:33 - Help Net Security Articles : Tokenization - the use of surrogate values for sensitive data - is all the rage Although it is often sold as an alternative to encryption, it is at the core a cryptographic algorithm This session http://www.secuobs.com/revue/news/331498.shtmlhttp://www.secuobs.com/revue/news/331498.shtml 2011-09-28 14:41:24 - Help Net Security News : Tokenization - the use of surrogate values for sensitive data - is all the rage Although it is often sold as an alternative to encryption, it is at the core a cryptographic algorithm This session http://www.secuobs.com/revue/news/331497.shtmlhttp://www.secuobs.com/revue/news/331497.shtml 2011-09-24 13:24:43 - How to remove : A suspicious file named Modulo iTokenexe has appeared in a virus analysis report You can see it on this link I have also noticed some links on the net that point out to a legitimate program with the same name So this report does not indicate any legitimate application to be a virus The installer of this program is of about 434 KB It may be identified by anti-virus programs as Mal Banker-AD Sophos Trojan-ClickerWin32Delf Ikarus It is suspected to have originated in Brazil You can see similar instances in the right column under Similar keyword Delf It creates Modulo iTokenexe and other files on the infected computer that you need to search and delete You should end running processes named Modulo iTokenexe from Task Manager And also remove the file's entries from windows startup Warning It is possible that some legitimate software may be using the same file names as that of the virus files You do not have to delete these files if they belong to some legitimate program installed on your computer Use Windows Defender or SysInternals Process Explorer to differentiate between them The information in this article is presented without making any claims regarding its usefulness or otherwise If you have any objections or questions, please send a note by adding a comment at the end of this page, or mail on support at comprolivecom Preventive measures Most of the viruses enter your computer when you visit some harmful website If you use a browser plugin that warns you about harmful websites, you can prevent this from happening A popular browser plugin is called Web Of Trust WOT , you can install it from its website on this link a video about WOT plugin Blocking Javascript of all sites by default can help to prevent drive by download infections You can use Noscript Plugin for firefox as explained in this video Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences Under the Hood Content Settings Java Script Select Do not Allow After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site The author of NoScript is writing a similar plugin for IE9 called GoodScript Keep an eye on when it becomes available Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows The viruses get activated when these files are executed You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files occasionally, ideally at the end of a browsing session or before closing down your computer Some programs like CCleaner can be set to do these things automatically a video about CCleaner Do not leave your computer infected and insecure If you doubt that there could be some undetected virus on your computer, don't leave it like that Format the hard disk and reinstall windows and all other programs That is the sure way to clear doubts Using System Restore If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus Using system restore in windows XP Using system restore in windows Vista Using system restore in windows7 Video of How to use System Restore Boot in safe mode Sometimes you can not delete a file You should boot in safe mode and then try to delete it How to boot in safe in windows XP How to boot in safe mode in windows Vista How to boot in safe mode in windows7 View Hidden Files You need to enable to view hidden files and folders before searching How to Enable to View Hidden Files and Folders in Windows XP How to Enable to View Hidden Files and Folders in Windows Vista How to Enable to View Hidden Files and Folders in Windows7 Video of How to enable Hidden files and folders Remove Processes from Task Manager Press Ctrl Alt Del keys to open the Task ManagerSelect Processes tab You will see a list Look for the names Modulo iTokenexe in it Select if found and press the End Process button It will ask for your confirmation to end that process Select Yes You can end one process at a time You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista It shows the path of a process and its publisher Harmful processes may be shown under Unknown Publisher in windows defender Whereas in Windows7 you can find that out from the task manager itself You can watch a video on How to use Windows Defender How to use Windows Defender in windows XP How to use Windows Defender in windows Vista How to use Windows Defender in windows7 Or you can use Sysinternal's Process Explorer How to use Sysinternal's Process Explorer Video of How to use Sysinternal's Windows Process Explorer Removing entry from windows startup The system configuration can be started in xp and in vista by typing msconfig in the run box start menu search box In xp by clicking on Start run The windows startup is reversible You can check uncheck any entry from windows startup any number of times Watch a video on How to Use the Windows Startup Open system configuration windowClick on the Startup tab You will see a list all the programs that are scheduled to start with windows Expand the middle column using your mouse pointer That will show you the full path of the program Locate and uncheck the boxes in front of these names Modulo iTokenexe also look for any other suspicious names Press Apply , Press Close Ok , Select restart at the next prompt Deleting files The computer will restart now Delete the following files and folders Boot in safe mode or boot in the dos prompt if needed You can use windows search utility to search for Modulo iTokenexe Files C Windows System32 Modulo iTokenexe Folders - Files in Temp folder - Installer File file and pathname of the sample 1 We do not know the name or the location of sample 1, it could be in your default download location or on the desktop or in a Temp folder The files and folders in the Temp folder can be automatically removed, if you use a freeware temp files registry cleaner software like CCleaner Location of pourcentsAppDatapourcents Windows XP C Documents and Settings username Application Data Location of Windows Vista and Windows7 C Users UserName AppData Roaming pourcentsCommonAppDatapourcents Windows XP C Documents and Settings All Users Application Data Windows Vista and Windows7 C ProgramData Repair Hosts File To repair edit the hosts file Login as administrator open the following file in notepad C WINDOWS system32 drivers etc hosts remove anything other than 127001 Localhost, and save and close the file Registry Keys Some of the registry keys will be automatically removed if you run Registry menu of CCleaner For others you can see the report mentioned at the beginning of this article Using CCleaner You can easily remove the files in the temp folder by running CCleaner You can set CCleaner to run automatically each time the computer starts Do not forget to run CCleaner Registry menu to remove the obsolete registry entries more about CCleaner on this link Video on how to use CCleaner Free tools to repair disabled folder options, registry, Task Manager etc Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools Tools for Windows Vista Tools for Windows XP Tools for Windows7 Use the System File Checker To repair altered deleted or modified windows system files How to run System File Checker utility in windows XP How to run System File Checker utility in windows Vista How to run System File Checker utility in windows7 Additional Information Virus infections are complex Most of the times a virus on the computer downloads more files and make it complicated In my attempt to warn users about the different ways that viruses are trying to infect and ways to find them and remove, I have created videos on specific Free tools and manual methods, these videos could be of great help 1 To detect and remove malicious Alternate Data Streams - Stream Armour 2 To detect and remove malicious Services - Advanced WinService Manager 3 To detect and remove viruses in Fake recycle Bin - Watch Video 4 keep an eye on suspicious connections using a Firewall - Free Comodo Firewall 5 A free tool to detect and remove unwanted BHOs - SpyBHO Remover Reprinted with permission from Threatexpertcom Sanjay C Rajure IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/330873.shtmlhttp://www.secuobs.com/revue/news/330873.shtml 2011-09-24 12:31:24 - How to remove : A suspicious file named Mod iTokenexe has appeared in a virus analysis report You can see it on this link I have also noticed some links on the net that point out to a legitimate program with the same name So this report does not indicate any legitimate application to be a virus The installer of this program is of about 434 KB It may be identified by anti-virus programs as Mal Banker-AD Sophos Trojan-ClickerWin32Delf Ikarus It is suspected to have originated in Brazil You can see similar instances in the right column under Similar keyword Delf It creates Mod iTokenexe and other files on the infected computer that you need to search and delete You should end running processes named Mod iTokenexe from Task Manager And also remove the file's entries from windows startup Warning It is possible that some legitimate software may be using the same file names as that of the virus files You do not have to delete these files if they belong to some legitimate program installed on your computer Use Windows Defender or SysInternals Process Explorer to differentiate between them The information in this article is presented without making any claims regarding its usefulness or otherwise If you have any objections or questions, please send a note by adding a comment at the end of this page, or mail on support at comprolivecom Preventive measures Most of the viruses enter your computer when you visit some harmful website If you use a browser plugin that warns you about harmful websites, you can prevent this from happening A popular browser plugin is called Web Of Trust WOT , you can install it from its website on this link a video about WOT plugin Blocking Javascript of all sites by default can help to prevent drive by download infections You can use Noscript Plugin for firefox as explained in this video Similar functionality can be achieved in Google's Chromium browser using the settings in Preferences Under the Hood Content Settings Java Script Select Do not Allow After that when you visit a site, you will see a pop up next to the address bar asking you if you want to allow JavaScript to run for that particular site The author of NoScript is writing a similar plugin for IE9 called GoodScript Keep an eye on when it becomes available Some of the viruses are downloaded in Internet Cache or in the Temp folder of the windows The viruses get activated when these files are executed You can reduce the risk of virus infection if you empty your browser cache and remove windows temp files occasionally, ideally at the end of a browsing session or before closing down your computer Some programs like CCleaner can be set to do these things automatically a video about CCleaner Do not leave your computer infected and insecure If you doubt that there could be some undetected virus on your computer, don't leave it like that Format the hard disk and reinstall windows and all other programs That is the sure way to clear doubts Using System Restore If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will be an easy way to undo the changes done by the virus Using system restore in windows XP Using system restore in windows Vista Using system restore in windows7 Video of How to use System Restore Boot in safe mode Sometimes you can not delete a file You should boot in safe mode and then try to delete it How to boot in safe in windows XP How to boot in safe mode in windows Vista How to boot in safe mode in windows7 View Hidden Files You need to enable to view hidden files and folders before searching How to Enable to View Hidden Files and Folders in Windows XP How to Enable to View Hidden Files and Folders in Windows Vista How to Enable to View Hidden Files and Folders in Windows7 Video of How to enable Hidden files and folders Remove Processes from Task Manager Press Ctrl Alt Del keys to open the Task ManagerSelect Processes tab You will see a list Look for the names Mod iTokenexe in it Select if found and press the End Process button It will ask for your confirmation to end that process Select Yes You can end one process at a time You can find out if a process in Task Manager is good or bad by using Windows Defender in XP and Vista It shows the path of a process and its publisher Harmful processes may be shown under Unknown Publisher in windows defender Whereas in Windows7 you can find that out from the task manager itself You can watch a video on How to use Windows Defender How to use Windows Defender in windows XP How to use Windows Defender in windows Vista How to use Windows Defender in windows7 Or you can use Sysinternal's Process Explorer How to use Sysinternal's Process Explorer Video of How to use Sysinternal's Windows Process Explorer Removing entry from windows startup The system configuration can be started in xp and in vista by typing msconfig in the run box start menu search box In xp by clicking on Start run The windows startup is reversible You can check uncheck any entry from windows startup any number of times Watch a video on How to Use the Windows Startup Open system configuration windowClick on the Startup tab You will see a list all the programs that are scheduled to start with windows Expand the middle column using your mouse pointer That will show you the full path of the program Locate and uncheck the boxes in front of these names Mod iTokenexe also look for any other suspicious names Press Apply , Press Close Ok , Select restart at the next prompt Deleting files The computer will restart now Delete the following files and folders Boot in safe mode or boot in the dos prompt if needed You can use windows search utility to search for Mod iTokenexe Files C Windows System32 Mod iTokenexe Folders - Files in Temp folder - Installer File file and pathname of the sample 1 We do not know the name or the location of sample 1, it could be in your default download location or on the desktop or in a Temp folder The files and folders in the Temp folder can be automatically removed, if you use a freeware temp files registry cleaner software like CCleaner Location of pourcentsAppDatapourcents Windows XP C Documents and Settings username Application Data Location of Windows Vista and Windows7 C Users UserName AppData Roaming pourcentsCommonAppDatapourcents Windows XP C Documents and Settings All Users Application Data Windows Vista and Windows7 C ProgramData Repair Hosts File To repair edit the hosts file Login as administrator open the following file in notepad C WINDOWS system32 drivers etc hosts remove anything other than 127001 Localhost, and save and close the file Registry Keys Some of the registry keys will be automatically removed if you run Registry menu of CCleaner For others you can see the report mentioned at the beginning of this article Using CCleaner You can easily remove the files in the temp folder by running CCleaner You can set CCleaner to run automatically each time the computer starts Do not forget to run CCleaner Registry menu to remove the obsolete registry entries more about CCleaner on this link Video on how to use CCleaner Free tools to repair disabled folder options, registry, Task Manager etc Whereas you can repair disabled Folder Options, disabled Registry Tools, disabled Task Manager, Disabled System Restore etc using these free tools Tools for Windows Vista Tools for Windows XP Tools for Windows7 Use the System File Checker To repair altered deleted or modified windows system files How to run System File Checker utility in windows XP How to run System File Checker utility in windows Vista How to run System File Checker utility in windows7 Additional Information Virus infections are complex Most of the times a virus on the computer downloads more files and make it complicated In my attempt to warn users about the different ways that viruses are trying to infect and ways to find them and remove, I have created videos on specific Free tools and manual methods, these videos could be of great help 1 To detect and remove malicious Alternate Data Streams - Stream Armour 2 To detect and remove malicious Services - Advanced WinService Manager 3 To detect and remove viruses in Fake recycle Bin - Watch Video 4 keep an eye on suspicious connections using a Firewall - Free Comodo Firewall 5 A free tool to detect and remove unwanted BHOs - SpyBHO Remover Reprinted with permission from Threatexpertcom Sanjay C Rajure IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/330871.shtmlhttp://www.secuobs.com/revue/news/330871.shtml 2011-09-22 20:47:52 - SecurityCurve : TechTarget just published my analysis on the PCI Tokenization Guidelines For years, security experts have touted the value of credit card tokenization for limiting PCI scope The National Retail Federation NRF listed tokenization in its January 2009 Key PCI Best Practices document, and Gartner Inc analysts John Pescatore and Avivah Litan explained how tokenization can http://www.secuobs.com/revue/news/330441.shtmlhttp://www.secuobs.com/revue/news/330441.shtml 2011-09-21 23:58:08 - Security Bloggers Network : By Sushila Nair, Product Manager, BT Counterpane The PCI DSS release of the long-awaited tokenization guidelines seems to have been well received but it has also raised some questions With varied types of tokenization, merchants need to understand how each type works and which solution is best for their particular environment Initially, the document outlines http://www.secuobs.com/revue/news/330290.shtmlhttp://www.secuobs.com/revue/news/330290.shtml 2011-08-29 15:24:04 - Security Bloggers Network : In June 2011, the FFIEC Federal Financial Institutions Examination Council issued a Supplement to Authentication in an Internet Banking Environment, available at http wwwffiecgov pdf Auth-ITS-Finalpourcents206-22-11pourcents20 FFIECpourcents20Formated pdf The FFIEC comprises five financial regulatory agencies, namely, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and http://www.secuobs.com/revue/news/325774.shtmlhttp://www.secuobs.com/revue/news/325774.shtml 2011-08-26 01:27:48 - New RFCs : 13KB This document describes three abstract Generic Security Service Application Program Interface GSS-API interfaces used to encapsulate decapsulate context tokens and compare OIDs This document also specifies C bindings for the abstract interfaces STANDARDS-TRACK http://www.secuobs.com/revue/news/325310.shtmlhttp://www.secuobs.com/revue/news/325310.shtml 2011-08-17 18:08:50 - Security Bloggers Network : I am proud to announce the availability of our newest white paper, Tokenization vs Encryption Options for Compliance The paper was written to close some gaps in our existing tokenization research coverage I believe it is particularly import http://www.secuobs.com/revue/news/323675.shtmlhttp://www.secuobs.com/revue/news/323675.shtml 2011-08-12 18:51:37 - Infosec Island Latest Articles : Tokenization does not imply encryption However, encryption may be used for tokenization as can one-way hashing When encryption is used as a way to tokenize sensitive information, the system receiving the token never has the capability to decrypt the token http://www.secuobs.com/revue/news/322773.shtmlhttp://www.secuobs.com/revue/news/322773.shtml 2011-08-12 17:47:16 - SecurityCurve : So, for folks who pay attention to this stuff, the long-awaited PCI Tokenization guidance is finally out We ll be discussing it in some depth over the next few months in this forum and others However, as a quick hit, the biggest win by far is that we finally know for a fact because they http://www.secuobs.com/revue/news/322760.shtmlhttp://www.secuobs.com/revue/news/322760.shtml 2011-08-12 17:32:33 - Infosecurity USA Latest News : The PCI Security Standards Council released today its security guidance for the use of tokenization to process payment card transactions http://www.secuobs.com/revue/news/322759.shtmlhttp://www.secuobs.com/revue/news/322759.shtml 2011-08-08 23:06:08 - ContactlessNews Contactless Smart Cards RFID Payment Transit and Security : Asahi Kasei, a Japan-based chemical and tech company, has developed a tiny contactless health care device that allows paramedics and ER doctors to access a patient s health records in seconds, according to Techcrunchcom Operating on Japan s FeliCa contactless RFID system, the 3x3cm token makes it possible for first responders to access important health information, such as medication allergies or blood type, by simply tapping the device with an smart card reader or smart phone Read the full article at ContactlessNews http://www.secuobs.com/revue/news/321815.shtmlhttp://www.secuobs.com/revue/news/321815.shtml 2011-07-27 23:20:16 - SearchSecurity Threat Monitor : What are the most common attacks against two-factor authentication, and how can you protect against them Expert Nick Lewis weighs in Add to digg Add to StumbleUpon Add to delicious Add to Google http://www.secuobs.com/revue/news/319616.shtmlhttp://www.secuobs.com/revue/news/319616.shtml 2011-07-22 16:12:22 - SecurityPark.net : IAM Secure has launched IAM Cloud, an enterprise strength Authentication-as-a-Service that simplifies secure remote IT access and costs 50pourcents less on average than managed authentication services IAM Cloud provides fast two-factor authentication deployment via SMS, soft tokens and OATH standard hardware tokens with no new infrastructure requirements or costs just a low monthly subscription fee more http://www.secuobs.com/revue/news/318719.shtmlhttp://www.secuobs.com/revue/news/318719.shtml 2011-07-13 19:57:11 - Security Bloggers Network : Securing Personal Health Records PHR for healthcare providers is supposed to be the next frontier for many security technologies Security vendors market solutions for Protected Health Information PHI because HIPAA and HITECH impose data se http://www.secuobs.com/revue/news/316791.shtmlhttp://www.secuobs.com/revue/news/316791.shtml 2011-07-11 19:29:04 - Security Bloggers Network : In the last post I covered how tokenization is being deployed to solve payment data security issues Relatively speaking it s a niche technology applied to a single problem protecting credit card data As a technology, data tokenization http://www.secuobs.com/revue/news/316298.shtmlhttp://www.secuobs.com/revue/news/316298.shtml 2011-07-08 11:59:59 - securitythreat.info : http wwwflickrcom photos rimblas 4101222859 Symantec has begun to replace its global fleet of RSA SecurID tokens following its acquisition of VeriSign's Authentication Services last year The swap comes in the wake of the high-profile breach of RSA tokens in March, although the company said it already had planned to eat its own cookie and dump RSA for Versign's Public Key Infrastructure platform The SecurID token system, used globally by Symantec, was compromised in a multi-pronged attack this year, forcing RSA to replace the keys for some affected customers and offer security services to others There has been a long-running transition to Versign since the acqusition, Symantec said Tags RSASecuritySource SC Magazine AU http://www.secuobs.com/revue/news/315809.shtmlhttp://www.secuobs.com/revue/news/315809.shtml 2011-06-30 13:07:16 - Verizon Business Security Blog : The RISK Team tries to put events into context consistent with our doctrine of risk being the product of threat, vulnerability, and impact In that context, it s hard to support a recommendation for the majority of Verizon Cybertrust Security customers to dedicate additional resources, especially staff time, to the RSA token problem Also, they should http://www.secuobs.com/revue/news/314434.shtmlhttp://www.secuobs.com/revue/news/314434.shtml 2011-06-29 20:15:26 - Network World on Security : The inventor of the two-factor authentication SecurID token says the latest technology he's come up with is better because it can be used with a voiceprint biometric, plus it can be deployed for purposes of secure authentication in mobile phones, payments and cloud computing http://www.secuobs.com/revue/news/314312.shtmlhttp://www.secuobs.com/revue/news/314312.shtml 2011-06-28 14:53:13 - SecurityPark.net : SecurEnvoy has announced it had secured Tunbridge Wells Borough Council, its 20th local authority Tunbridge Wells deployed SecurAccess for their 300 employees as a fail-safe way of securely connecting to their network RSA, the security division of EMC, disclosed in March that it had fallen victim to a security breach which had reduced the effectiveness of its customers SecurID tokens In May more http://www.secuobs.com/revue/news/313976.shtmlhttp://www.secuobs.com/revue/news/313976.shtml 2011-06-24 02:10:38 - Security Bloggers Network : Unfortunately for those concerned with protecting important data - whether financial, healthcare, national security, intellectual property, or the like - the whole brouhaha over the recent break of RSA tokens seems to be fadingreplaced by other news http://www.secuobs.com/revue/news/313279.shtmlhttp://www.secuobs.com/revue/news/313279.shtml 2011-06-23 10:42:26 - Security Bloggers Network : Continuing our series on tokenization for compliance, it s time to look at how tokens are used to secure payment data I will focus on how tokenization is employed for credit card security and helps with compliance because this model is driving a http://www.secuobs.com/revue/news/313053.shtmlhttp://www.secuobs.com/revue/news/313053.shtml 2011-06-22 08:59:53 - www.leastprivilege.com : ACS v2 supports a number of protocols WS-Federation, WS-Trust, OpenId, OAuth 2 WRAP and a number of token types SWT, SAML 11 20 see Vittorio s Infographic here Some protocols are designed for active client WS-Trust, OAuth WRAP and some are designed for passive clients WS-Federation, OpenID One of the most obvious advantages of ACS is that it allows to transition between various protocols and token types Once example would be using WS-Federation SAML between your application and ACS to sign in with a Google account Google is using OpenId and non-SAML tokens, but ACS transitions into WS-Federation and sends back a SAML token This way you application only needs to understand a single protocol whereas ACS acts as a protocol bridge see my ACS2 sample here Another example would be transformation of a SAML token to a SWT This is achieved by using the WRAP endpoint you send a SAML token from a registered identity provider to ACS, and ACS turns it into a SWT token for the requested relying party, eg using the WrapClient from ThinktectureIdentityModel TestMethod public   void GetClaimsSamlToSwt get saml token from idp var samlToken Helper GetSamlIdentityTokenForAcs send to ACS for SWT converion var swtToken Helper GetSimpleWebToken samlToken var client new   HttpClient Constants BaseUri clientSetAccessToken swtToken, WebClientTokenSchemes OAuth call REST service with SWT var response clientGet wcf client Assert AreEqual HttpStatusCode OK, responseStatusCode There are more protocol transitions possible but they are not so obvious A popular example would be how to call a REST SOAP service using eg a LiveId login In the next post I will show you how to approach that scenario IMAGE http://www.secuobs.com/revue/news/312787.shtmlhttp://www.secuobs.com/revue/news/312787.shtml 2011-06-17 10:50:48 - www.leastprivilege.com : That s a very common one public   static   IClaimsPrincipal ToClaimsPrincipal this   SecurityToken token, X509Certificate2 signingCertificate var configuration CreateStandardConfiguration signingCertificate return tokenToClaimsPrincipal configurationCreateDefaultHandlerCollection public   static   IClaimsPrincipal ToClaimsPrincipal this   SecurityToken token, X509Certificate2 signingCertificate, string audienceUri var configuration CreateStandardConfiguration signingCertificate configurationAudienceRestrictionAudienceMode AudienceUriMode Always configurationAudienceRestrictionAllowedAudienceUrisAdd new   Uri audienceUri return tokenToClaimsPrincipal configurationCreateDefaultHandlerCollection public   static   IClaimsPrincipal ToClaimsPrincipal this   SecurityToken token, SecurityTokenHandlerCollection handler var ids handlerValidateToken token return   ClaimsPrincipal CreateFromIdentities ids private   static   SecurityTokenHandlerConfiguration CreateStandardConfiguration X509Certificate2 signingCertificate var configuration new SecurityTokenHandlerConfiguration configurationAudienceRestrictionAudienceMode AudienceUriModeNever configurationIssuerNameRegistry signingCertificateCreateIssuerNameRegistry configurationIssuerTokenResolver signingCertificateCreateSecurityTokenResolver configurationSaveBootstrapTokens true return configuration private   static   IssuerNameRegistry CreateIssuerNameRegistry this   X509Certificate2 certificate var registry new   ConfigurationBasedIssuerNameRegistry registryAddTrustedIssuer certificateThumbprint, certificateSubject return registry private   static   SecurityTokenResolver CreateSecurityTokenResolver this   X509Certificate2 certificate var tokens new   List new   X509SecurityToken certificate return   SecurityTokenResolver CreateDefaultSecurityTokenResolver tokensAsReadOnly , true private   static   SecurityTokenHandlerCollection CreateDefaultHandlerCollection this   SecurityTokenHandlerConfiguration configuration return   SecurityTokenHandlerCollection CreateDefaultSecurityTokenHandlerCollection configuration IMAGE http://www.secuobs.com/revue/news/311899.shtmlhttp://www.secuobs.com/revue/news/311899.shtml 2011-06-17 09:00:01 - www.leastprivilege.com : As part of the next release of ThinktectureIdentityModel, I added a number of extension methods I get a lot of questions about manual token handling, like how to convert a SAML token to a string, how to convert a token to claims etc Basically it all boils down to the right usage of WIF s security token handlers The extension methods wrap that nicely public   static   string ToTokenXmlString this   SecurityToken token var genericToken token as   GenericXmlSecurityToken if genericToken null return genericTokenToTokenXmlString var handler SecurityTokenHandlerCollection CreateDefaultSecurityTokenHandlerCollection return tokenToTokenXmlString handler public   static   string ToTokenXmlString this   SecurityToken token, SecurityTokenHandlerCollection handler if handlerCanWriteToken token var sb new   StringBuilder 128 handlerWriteToken new   XmlTextWriter new   StringWriter sb , token return sbToString else throw   new   InvalidOperationException Token type not suppoted public   static   string ToTokenXmlString this   GenericXmlSecurityToken token return tokenTokenXmlOuterXml HTH IMAGE http://www.secuobs.com/revue/news/311883.shtmlhttp://www.secuobs.com/revue/news/311883.shtml 2011-06-13 07:09:32 - Help Net Security News : Here's an overview of some of last week's most interesting news and articles FBI affiliate organization hacked, user database leaked Only a day after they leaked the details of over one million http://www.secuobs.com/revue/news/310746.shtmlhttp://www.secuobs.com/revue/news/310746.shtml 2011-06-09 14:14:32 - Computer Security News : The ubiquitous totem of many office workers, the SecurID tokens used to access sensitive corporate systems, are under attack http://www.secuobs.com/revue/news/310143.shtmlhttp://www.secuobs.com/revue/news/310143.shtml 2011-06-08 16:28:28 - SecurityCurve : So In Secure magazine issue 30 is out today I don t always make a habit of reading it no offense guys, the content is great but I find the form factor hard to read Anyway, this time around there is some really good stuff, particularly the article The token is dead by Andrew Kemshall page http://www.secuobs.com/revue/news/309929.shtmlhttp://www.secuobs.com/revue/news/309929.shtml 2011-06-08 07:49:57 - Help Net Security News : Since RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens, organizations using tokens should consi http://www.secuobs.com/revue/news/309845.shtmlhttp://www.secuobs.com/revue/news/309845.shtml 2011-06-08 04:36:11 - Security Bloggers Network : On Friday, Lockheed Martin said they had proof that data stolen from RSA was used in an attempted attack on their systems On Monday, RSA issued a public notice that Lockheed was correct, and announced that they would start replacing the compromised to http://www.secuobs.com/revue/news/309822.shtmlhttp://www.secuobs.com/revue/news/309822.shtml 2011-06-08 01:18:35 - Security Bloggers Network : Too little, too late they could have admitted that when it first went public RSA finally admitted that SecurID tokens have been compromised How many All of them HelpNetSecurity reports The admission comes in the wake of cyber intrusions into the networks of three US military contractors one of them confirmed Read More RSA finally admits that SecurID tokens have been compromised http://www.secuobs.com/revue/news/309798.shtmlhttp://www.secuobs.com/revue/news/309798.shtml 2011-06-08 01:18:35 - Security Bloggers Network : http://www.secuobs.com/revue/news/309794.shtmlhttp://www.secuobs.com/revue/news/309794.shtml 2011-06-08 00:17:00 - Privacy Security Crypto and smart dust : by Johannes Ullrich RSA issued a press release, offering to replace all tokens if a customer asks for it As an alternative, RSA also offers to implement additional authentication monitoring Aside from the press release, and an interview with the RSA CEO, there have not been any details about how this would work or how http://www.secuobs.com/revue/news/309788.shtmlhttp://www.secuobs.com/revue/news/309788.shtml 2011-06-07 22:10:48 - DarkReading All Stories : There are plenty of in-house logistics -- and no guarantees that the new tokens won't be eventually compromised, security experts say http://www.secuobs.com/revue/news/309766.shtmlhttp://www.secuobs.com/revue/news/309766.shtml 2011-06-07 19:56:16 - The Tech Herald Security News : On Friday, Lockheed Martin said they had proof that data stolen from RSA was used in an attempted attack on their systems On Monday, RSA issued a public notice that Lockheed was correct, and announced that they would start replacing the compromised tokens used by their customers For those working in the IT world, these two elements are worth paying attention to http://www.secuobs.com/revue/news/309721.shtmlhttp://www.secuobs.com/revue/news/309721.shtml 2011-06-07 19:28:00 - Infosecurity USA Latest News : Two and half months after the company admitted to a data security breach of its SecureID database, RSA is offering to replace SecureID tokens of certain customers, including big-name defense firm Lockheed Martin http://www.secuobs.com/revue/news/309711.shtmlhttp://www.secuobs.com/revue/news/309711.shtml 2011-06-07 18:53:12 - MSI State of Security : Since the compromise of the RSA environment several months ago, much attention has been paid to the potential impact of the attack on RSA customers Given the popularity of the RSA products and the sensitivity of the processes that they protect, the situation should be taken very seriously by RSA token users Last night, RSA http://www.secuobs.com/revue/news/309695.shtmlhttp://www.secuobs.com/revue/news/309695.shtml 2011-06-07 18:49:40 - Threat Level : Nearly three months after RSA Security was breached by hackers, the company has announced it will replace the security tokens for nearly all of its SecurID customers The move, announced in a letter sent to customers on Monday, comes after news that defense contractor Lockheed Martin was reportedly breached by hackers using duplicates of the SecurID http://www.secuobs.com/revue/news/309693.shtmlhttp://www.secuobs.com/revue/news/309693.shtml 2011-06-07 16:52:15 - LinuxSecurity.com Latest News : LinuxSecuritycom RSA Security has confirmed that stolen data about the company's SecurID authentication token was used in the recent attack against defense contractor Lockheed Martin RSA has offered to replace the compromised tokens for high-risk customers http://www.secuobs.com/revue/news/309658.shtmlhttp://www.secuobs.com/revue/news/309658.shtml 2011-06-07 16:20:53 - SANS Internet Storm Center InfoCON green : RSA issued a press release, offering to replace all tokens if a customer asks for it As an alternat more http://www.secuobs.com/revue/news/309654.shtmlhttp://www.secuobs.com/revue/news/309654.shtml