Adnan Masood's Weblog! عدنان مسعود

OWASP’s list have been changed since 2004 in terms of priorities; XSS and inject flaws are on the rise. Details can be found on OWASP’s website.

2007	2004
A1 - Cross Site Scripting (XSS)	A1 - Unvalidated Input
A2 - Injection Flaws	A2 - Broken Access Control
A3 - Malicious File Execution	A3 - Broken Authentication and Session Management
A4 - Insecure Direct Object Reference	A4 - Cross Site Scripting
A5 - Cross Site Request Forgery (CSRF)	A5 - Buffer Overflow
A6 - Information Leakage and Improper Error Handling	A6 - Injection Flaws
A7 - Broken Authentication and Session Management	A7 - Improper Error Handling
A8 - Insecure Cryptographic Storage	A8 - Insecure Storage
A9 - Insecure Communications	A9 - Application Denial of Service
A10 - Failure to Restrict URL Access	A10 - Insecure Configuration Management

 

OWASP .NET Projects
http://www.owasp.org/index.php/Category:OWASP_.NET_Project

References and Papers on Financial Data Mining

• Mine Your Way to Combat Money Laundering
• OFAC SDN List www.ustreas.gov/offices/enforcement/ofac/sdn/
• FinCen www.fincen.gov/
• FATF www.fatf-gafi.org/
• Suspicious Activity Report
• Keys to a Well Prepared Suspicious Activity Report
• A framework for data mining-based anti-money laundering research
• Profiling Behavior: The social construction of categories in the detection of financial crime; dissertation by Ana Canhoto
• Towards a Proactive Fraud Management Framework for Financial Data Streams
• T. Senator. "The financial crimes enforcement network AI system (FAIS)." AI Magazine 4, 1995.
• M. Sparrow. "The State of the Fraud Control Game; and the Impact of Electronic Claims Processing on Fraud and Fraud Control." Proceedings of the International Symposium on Criminal Justice Information Systems and Technology, 1994.
• U.S. Congress, Office of Technology Assessment (OTA). "Information Technologies for Control of Money Laundering." OTA-ITC-630. Washington, DC: U.S. Government Printing Office, September 1995.
• Zdanowicz, J.S. (2004), "Detecting money laundering and terrorist financing via data mining", Communications of the ACM, Vol. 47 No.5
• Watkins, R.C., Reynolds, K.M., Demara, R., Georgiopoulos, M., Gonzalez, A., Eaglin, R. (2003), "Tracking dirty proceeds: exploring data mining technologies as tools to investigate money laundering", Police Practice and Research, Vol. 4 No.2, pp.163-78.
• Vikram, A., Chennuru, S., Rao, H.R., Upadhyaya, S. (2004), "A solution architecture for financial institutions to handle illegal activities: a neural networks approach", Proceedings of the 37th Hawaii International Conference on System Sciences-2004
• Zhang, Z., Salerno, J.J., Yu, P.S. (2003), "Applying data mining in investigating money laundering crimes", paper presented at SIGKDD'03, Washington, DC, pp.747-52.
• Senator, T.E., Goldberg, H.G., Wooton, J. (1995), "The financial crimes enforcement network AI system (FAIS): identifying potential money laundering from reports of large cash transactions", AI Magazine, Vol. 16 No.4, pp.21-39.
• Tang, J., Yin, J. (2005), "Developing an intelligent data discriminating system of antimony laundering based on SVM", Proceedings of the Fourth International Conference on Machine Learning and Cybernetics. Guangzhou, pp.3453-7.
• Kingdon, J. (2004), "AI fights money laundering", IEEE Intelligent Systems, Vol. 5/6 pp.87
• Goldberg, H.G., Wong, R.W.H. (1998), "Restructuring transactional data for link analysis in the FinCEN AI System", Proceedings of 1998 AAAI Fall Symposium on Artificial Intelligence and Link Analysis, AAAI Press, Menlo Park, CA, .
• Fawcett, T., Provost, F. (1997), "Adaptive fraud detection", Data Mining and Knowledge Discovery, Vol. 1 No.3, pp.291-316.

So if you are looking to implement SSL using basicHttpBinding for your WCF service, look no further. Here is your config file settings

The modified basicHttpBindinging to allow security mode = Transport

<bindings>
            <basicHttpBinding>
                <binding name="defaultBasicHttpBinding">
                    <security mode="Transport">
                        <transport clientCredentialType="None"/>
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>

which corresponds to your end point.

<system.serviceModel>       
        <services>
            <service behaviorConfiguration="MyServiceBehavior"
            name="MyServiceName">       
                <endpoint address="https://AdnanMasood.com/MyService.svc"
                            binding="basicHttpBinding"
                            bindingConfiguration="defaultBasicHttpBinding"
                            contract="Axis.IServiceContract" />    

and the httpsGetEnabled

<behaviors>
            <serviceBehaviors>               
                <behavior name="MyServiceBehavior">
                    <serviceMetadata httpsGetEnabled="true"/>
                    <serviceDebug includeExceptionDetailInFaults="false"/>
                </behavior>
            </serviceBehaviors>
        </behaviors>

and last but not least, if hosting in IIS, here is the key for custom factory. Details about how to do this part can be found on the MSDN article "Deploying an Internet Information Services-Hosted WCF Service" referenced below.

    <appSettings>       
        <add key="CustomIISServiceHostEndPoint" value=https://AdnanMasood.com/MyService.svc"/>
    </appSettings>


and you should be all set. Got any questions, email me.

Helpful Links

Inside the Standard Bindings: BasicHttp
http://blogs.msdn.com/drnick/archive/2006/06/01/612672.aspx

WCF-basicHttp receive location
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2154774&SiteID=1

<basicHttpBinding>
http://msdn.microsoft.com/en-us/library/ms731361.aspx

WCF Endpoints
http://www.vistax64.com/indigo/86653-wcf-endpoints.html

Securing your Web Service
http://www.theserverside.net/tt/articles/showarticle.tss?id=SecuringWCFService

Deploying an Internet Information Services-Hosted WCF Service
http://msdn.microsoft.com/en-us/library/aa751792.aspx

Custom Service Host
http://msdn.microsoft.com/en-us/library/aa395224.aspx

Yesterday's ISSA (Information Systems Security Association) LA chapter's monthly member meeting was highlighted by Jeremiah Grossman's presentation on Hacking Intranet Websites from the Outside and Best Practice Security Measures . Stan Stahl of Citadel information security group and president of ISSA-LA chapter invited us to this lunch meeting which was very informative from development and architectural perspective. I along with a few work colleagues attended and immsensely enjoyed it.

Jeremiah is CTO of white hat security and a security enthusiast. In a brief conversation with him about CAPTCHA's effectiveness, he summarized it as "bad guys are winning". By using promiscuous websites as CAPTCHA validation engines, they have created a mechanical turk to avoid the bot detection; and of course the OCR's are getting better and better too. In response to another question about blocking IP's for suspicious activity, he mentioned that intelligence based on IP is not a bad solution but in presence of anonymity engines like Tor, its not quite deterministic and should be used with care. The CTO of White hat security mentioned Cross-site request forgery as one of the biggest up coming threats which is getting more and more press.

The presenter listed the following as his top 10 web 2.0 vulnerabilities list and provided samples during his demo about each of these. Here is an excerpt from his blog. Check out the fill list on his blog.

1. Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 "mhtml:" Redirection Information Disclosure (PATCHED)
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images)
   
5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3's)
6. Forging HTTP request headers with Flash
7. Exponential XSS (Multi-site propogation)
8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
   
9. Web Worms - (MySpace, Xanga)
   
10. Hacking RSS Feeds

Here is a link to his earlier talk this year. From a .NET developer's point of view, effective usage of framework features to avoid XSS was highly recommended. Most of these issues would be covered by following the OWASP top 10 list best practices however web developers should also be at least aware of exploits which are beyond their control and are more browser/platform dependent (item 3, 4, 5 and 6 on the list) so they will be able to respond with a contigency plan in case of any such compromises.

With Ajax talking directly to web services, the risk of attack is on the rise. Here are multiple videos about Ajax Hacking (and prevention using ASP.NET)

References:

ha.ckers.org web application security lab