Writing Secure Code Code
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Second Edition Microsoft Azure Essentials
Fundamentals of Azure Second Edition Microsoft Azure Essentials Michael Collier Robin Shahan PUBLISHED BY Microsoft Press A division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2016 by Michael Collier, Robin Shahan All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. ISBN: 978-1-5093-0296-3 Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Support at [email protected]. Please tell us what you think of this book at http://aka.ms/tellpress. This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and information expressed in this book, including URL and other Internet website references, may change without notice. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. Microsoft and the trademarks listed at http://www.microsoft.com on the “Trademarks” webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Acquisitions Editor: Devon Musgrave Developmental Editor: Carol Dillingham Editorial Production: Cohesion Copyeditor: Ann Weaver Cover: Twist Creative • Seattle To my wife, Sonja, and sons, Aidan and Logan; I love you more than words can express. I could not have written this book without your immense support and patience. —Michael S. Collier I dedicate this book to the many people who helped make this the best book possible by reviewing, discussing, and sharing their technical wisdom. -
Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140
Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140‐2 Cryptographic Module Non‐Proprietary Security Policy Version: 1.6 Date: March 16, 2016 Copyright Medtronic Care Management Services 2016 Version 1.6 Page 1 of 14 Medtronic Care Management Services Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction .................................................................................................................... 4 1.1 Cryptographic Boundary ..............................................................................................................5 1.2 Mode of Operation .......................................................................................................................5 2 Cryptographic Functionality ............................................................................................. 6 2.1 Critical Security Parameters .........................................................................................................7 2.2 Public Keys ....................................................................................................................................8 3 Roles, Authentication and Services .................................................................................. 8 3.1 Assumption of Roles .....................................................................................................................8 3.2 Services and CSP Access Rights ....................................................................................................8 -
Introducing Windows Azure for IT Professionals
Introducing Windows ServerIntroducing Release 2012 R2 Preview Introducing Windows Azure For IT Professionals Mitch Tulloch with the Windows Azure Team PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2013 Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2013949894 ISBN: 978-0-7356-8288-7 Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor -
Microsoft Azure Essentials Azure Machine Learning
Azure Machine Learning Microsoft Azure Essentials Jeff Barnes Visit us today at microsoftpressstore.com • Hundreds of titles available – Books, eBooks, and online resources from industry experts • Free U.S. shipping • eBooks in multiple formats – Read on your computer, tablet, mobile device, or e-reader • Print & eBook Best Value Packs • eBook Deal of the Week – Save up to 60% on featured titles • Newsletter and special offers – Be the first to hear about new releases, specials, and more • Register your book – Get additional benefits Hear about it first. Get the latest news from Microsoft Press sent to your inbox. • New and upcoming books • Special offers • Free eBooks • How-to articles Sign up today at MicrosoftPressStore.com/Newsletters Wait, there’s more... Find more great content and resources in the Microsoft Press Guided Tours app. The Microsoft Press Guided Tours app provides insightful tours by Microsoft Press authors of new and evolving Microsoft technologies. • Share text, code, illustrations, videos, and links with peers and friends • Create and manage highlights and notes • View resources and download code samples • Tag resources as favorites or to read later • Watch explanatory videos • Copy complete code listings and scripts Download from Windows Store PUBLISHED BY Microsoft Press A division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2015 Microsoft Corporation. All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. ISBN: 978-0-7356-9817-8 Microsoft Press books are available through booksellers and distributors worldwide. -
No Random, No Ransom: a Key to Stop Cryptographic Ransomware
No Random, No Ransom: A Key to Stop Cryptographic Ransomware Ziya Alper Genç, Gabriele Lenzini, and Peter Y.A. Ryan Interdisciplinary Centre for Security Reliability and Trust (SnT) University of Luxembourg Abstract. To be effective, ransomware has to implement strong encryp- tion, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to miti- gate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses. Keywords: ransomware, cryptographic malware, randomness, mitigation. 1 Introduction Ransomware is a malware, a malicious software that blocks access to victim’s data. In contrast to traditional malware, whose break-down is permanent, ransomware’s damage is reversible: access to files can be restored on the payment of a ransom, usually a few hundreds US dollars in virtual coins. Despite being relatively new, this cyber-crime is spreading fast and it is believed to become soon a worldwide pandemic. According to [24], a US Govern- ment’s white paper dated June 2016, on average more than 4,000 ransomware attacks occurred daily in the USA. This is 300-percent increase from the previous year and such important increment is probably due to the cyber-crime’s solid business model: with a small investment there is a considerable pecuniary gain which, thanks to the virtual currency technology, can be collected reliably and in a way that is not traceable by the authorities. -
Cryptanalysis of the Random Number Generator of the Windows Operating System
Cryptanalysis of the Random Number Generator of the Windows Operating System Leo Dorrendorf School of Engineering and Computer Science The Hebrew University of Jerusalem 91904 Jerusalem, Israel [email protected] Zvi Gutterman Benny Pinkas¤ School of Engineering and Computer Science Department of Computer Science The Hebrew University of Jerusalem University of Haifa 91904 Jerusalem, Israel 31905 Haifa, Israel [email protected] [email protected] November 4, 2007 Abstract The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the ¯rst time, the algorithm used by the pseudo- random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in O(223) work (this is an attack on the forward-security of the generator, an O(1) attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. We also analyzed the way in which the generator is run by the operating system, and found that it ampli¯es the e®ect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges. -
Chris Gombos
Chris Gombos Gender: Male Service: 203-257-4988 Height: 6 ft. 2 in. Mobile: 203-257-4988 Weight: 215 pounds E-mail: [email protected] Eyes: Blue Web Site: http://www.atbstunts... Hair Length: Regular Waist: 36 Inseam: 33 Shoe Size: 9.5 Physique: Athletic Coat/Dress Size: 45 Ethnicity: Caucasian / White Unique Traits: TATTOOS (Got Them) Photos Film Credits we own the night stunt cop 2929/james gray/ manny siverio college road trip stunt goon disney/roger kumble/manny siverio life before her eyes cop/driver 29/29/vladim perelman/manhy siverio friends with benefits( 2007) angry bar customer/ falls what were we thinking/gorman bechard abuduction stunt cia agent/ utility stunts john singleton/ brad martin violet & daisey man #4 stunts Geoffery fletcher/pete bucossi solomon grundy stunt double/ stunt coordinator wacky chan productions/ mattson tomlin/chris gombos nor'easter hockey coach/ hockey action noreaster productions/andrew coordinator brotzman/chris gombos brass tea pot cowboy / stunts chris columbo/ manny siverio The wedding Stunts Lionsgate/ justin zackham/ roy farfel Devoured Stunt double Secret weapon films/ greg Oliver / Curtis Lyons Generated on 09/24/2021 08:39:14 pm Page 1 of 3 Television Bored to death season 3 ep8 Stunt double Danny hoch Hbo / /Pete buccossi Law & order svu " pursuit" Stunt double Jery hewitt / Ian McLaughlin ( stunt coordinators ) jersey city goon #2/ stunts fx/daniel minahan/pete buccosi person of interest season 1 ep 2 rough dude#2 / stunts cbs/ /jeff gibson "ghost" Boardwalk empire season 2 ep Mike Griswalt/ stunts Hbo/ Timothy van patten/ steve 12 pope Onion news network season 2 ep Stunt driver/ glen the producer Comedy central / / manny Siverio 4 Onion news network season 2 ep Stunt reporter Comedy central / / manny Siverio 6 gun hill founding patriot1 / stunts bet/reggie rock / jeff ward blue bloods ep "uniforms" s2 joey sava / stunts cbs/ / cort hessler ep11 Person of interest ep firewall Stunts/ hr cop CBS / Jonah Nolan / jeff gibson Person of interest ep bad code Brad / stunts CBS/. -
NET Technology Guide for Business Applications // 1
.NET Technology Guide for Business Applications Professional Cesar de la Torre David Carmona Visit us today at microsoftpressstore.com • Hundreds of titles available – Books, eBooks, and online resources from industry experts • Free U.S. shipping • eBooks in multiple formats – Read on your computer, tablet, mobile device, or e-reader • Print & eBook Best Value Packs • eBook Deal of the Week – Save up to 60% on featured titles • Newsletter and special offers – Be the first to hear about new releases, specials, and more • Register your book – Get additional benefits Hear about it first. Get the latest news from Microsoft Press sent to your inbox. • New and upcoming books • Special offers • Free eBooks • How-to articles Sign up today at MicrosoftPressStore.com/Newsletters Wait, there’s more... Find more great content and resources in the Microsoft Press Guided Tours app. The Microsoft Press Guided Tours app provides insightful tours by Microsoft Press authors of new and evolving Microsoft technologies. • Share text, code, illustrations, videos, and links with peers and friends • Create and manage highlights and notes • View resources and download code samples • Tag resources as favorites or to read later • Watch explanatory videos • Copy complete code listings and scripts Download from Windows Store Free ebooks From technical overviews to drilldowns on special topics, get free ebooks from Microsoft Press at: www.microsoftvirtualacademy.com/ebooks Download your free ebooks in PDF, EPUB, and/or Mobi for Kindle formats. Look for other great resources at Microsoft Virtual Academy, where you can learn new skills and help advance your career with free Microsoft training delivered by experts. -
Vulnerabilities of the Linux Random Number Generator
Black Hat 2006 Open to Attack Vulnerabilities of the Linux Random Number Generator Zvi Gutterman Chief Technology Officer with Benny Pinkas Tzachy Reinman Zvi Gutterman CTO, Safend Previously a chief architect in the IP infrastructure group for ECTEL (NASDAQ:ECTX) and an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology. Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering. - Proprietary & Confidential - Safend Safend is a leading provider of innovative endpoint security solutions that protect against corporate data leakage and penetration via physical and wireless ports. Safend Auditor and Safend Protector deliver complete visibility and granular control over all enterprise endpoints. Safend's robust, ultra- secure solutions are intuitive to manage, almost impossible to circumvent, and guarantee connectivity and productivity, without sacrificing security. For more information, visit www.safend.com. - Proprietary & Confidential - Pseudo-Random-Number-Generator (PRNG) Elementary and critical component in many cryptographic protocols Usually: “… Alice picks key K at random …” In practice looks like random.nextBytes(bytes); session_id = digest.digest(bytes); • Which is equal to session_id = md5(get next 16 random bytes) - Proprietary & Confidential - If the PRNG is predictable the cryptosystem is not secure Demonstrated in - Netscape SSL [GoldbergWagner 96] http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html Apache session-id’s [GuttermanMalkhi 05] http://www.gutterman.net/publications/2005/02/hold_your_sessions_an_attack_o.html - Proprietary & Confidential - General PRNG Scheme 0 0 01 Stateseed 110 100010 Properties: 1. Pseudo-randomness Output bits are indistinguishable from uniform random stream 2. -
Microsoft Acquires Massive, Inc
S T A N F O R D U N I V E R S I T Y! 2 0 0 7 - 3 5 3 - 1! W W W . C A S E W I K I . O R G! R e v . M a y 2 9 , 2 0 0 7 MICROSOFT ACQUIRES MASSIVE, INC. May 4th, 2006 T A B L E O F C O N T E N T S 1. Introduction 2. Industry Overview 2.1. The Advertising Opportunity Within Video Games 2.2. Market Size and Demographics 2.3. Video Games and Advertising 2.4. Market Dynamics 3. Massive, Inc. ! Company Background 3.1. Founding of Massive 3.2. The Financing of Massive 3.3. Product Launch / Technology 3.4. The Massive / Microsoft Deal 4. Microsoft, Inc. within the Video Game Industry 4.1. Role as a Game Publisher / Developer 4.2. Acquisitions 4.3. Role as an Electronic Advertising Network 4.4. Statements Regarding the Acquisition of Massive, Inc. 5. Exhibits 5.1. Table of Exhibits 6. References ! 2 0 0 7 - 3 5 3 - 1! M i c r o s o f t A c q u i s i t i o n o f M a s s i v e , I n c .! I N T R O D U C T I O N In May 2007, Microsoft Corporation was a company in transition. Despite decades of dominance in its core markets of operating systems and desktop productivity software, Mi! crosoft was under tremendous pressure to create strongholds in new market spaces. -
Adam Tornhill — «Your Code As a Crime Scene
Early praise for Your Code as a Crime Scene This book casts a surprising light on an unexpected place—my own code. I feel like I’ve found a secret treasure chest of completely unexpected methods. Useful for programmers, the book provides a powerful tool to smart testers, too. ➤ James Bach Author, Lessons Learned in Software Testing You think you know your code. After all, you and your fellow programmers have been sweating over it for years now. Adam Tornhill uses thinking in psychology together with hands-on tools to show you the bad parts. This book is a red pill. Are you ready? ➤ Björn Granvik Competence manager Adam Tornhill presents code as it exists in the real world—tightly coupled, un- wieldy, and full of danger zones even when past developers had the best of inten- tions. His forensic techniques for analyzing and improving both the technical and the social aspects of a code base are a godsend for developers working with legacy systems. I found this book extremely useful to my own work and highly recommend it! ➤ Nell Shamrell-Harrington Lead developer, PhishMe By enlisting simple heuristics and data from everyday tools, Adam shows you how to fight bad code and its cohorts—all interleaved with intriguing anecdotes from forensic psychology. Highly recommended! ➤ Jonas Lundberg Senior programmer and team leader, Netset AB After reading this book, you will never look at code in the same way again! ➤ Patrik Falk Agile developer and coach Do you have a large pile of code, and mysterious and unpleasant bugs seem to appear out of nothing? This book lets you profile and find out the weak areas in your code and how to fight them. -
Wheel of Fortune ANALYZING EMBEDDED OS (CS)PRNGS
Wheel of Fortune ANALYZING EMBEDDED OS (CS)PRNGS JOS WETZELS ALI ABBASI WHOIS • Jos Wetzels1,2 • Researcher, MSc student • samvartaka.github.io • Ali Abbasi1,3 • Ph.D. candidate • http://wwwhome.cs.utwente.nl/~abbasia/ 1Distributed and Embedded System Security (DIES) group, University of Twente, Netherlands 2SEC Group, Eindhoven University of Technology, Netherlands 3SYSSEC Group, Ruhr-University Bochum, Germany ABOUT • Introduction to Embedded OS Random Number Generators • Embedded Challenges Overview • Case Studies • Product of ongoing research EMBEDDED SYSTEMS ARE EVERYWHERE EMBEDDED SYSTEMS ARE BOOMING © DigiReach EMBEDDED RANDOMNESS IS HARD ROADMAP • Why Does This Matter? • OS PRNGs • Embedded Challenges • Case Studies SOME TERMS • Interested in random bits • Cannot predict next bit with Pr. > 0.5 • Entropy (Shannon / Renyi / …) • Measure of information unpredictability • High entropy → very random WHY RANDOMNESS IS IMPORTANT? • Cryptography • Keys, Nonces, Etc. • Exploit Mitigations • ASLR → Randomize address space • Stack Smashing Protection → Randomize canaries • Randomness is critical to security ecosystem • Failure has massive impact TRUE RANDOM NUMBER GENERATORS • Physical (‘true’) entropy source • Radioactive Decay, Shot Noise, Etc. • Two ways to implement it: • External (dedicated device) • Trusted Platform Module (TPM) • Hardware Security Module (HSM) • Integrated • Intel Ivy Bridge RdRand • Certain Smartcards • Downsides • Expensive • Portability issues PSEUDO RANDOM NUMBER GENERATORS • Software based • Deterministic algorithm