Security

2006 Dr. Dobb's Journal Excellence in Programming Award
Jonathan Erickson
Moving computer security to the front lines of software development is just one reason Bruce Schneier is the recipient of this year's Excellence in Programming Award.

Quantum Cryptography Research Advances and IBM Research May Extend Moore's Law
Deirdre Blake
Quantum cryptography researchers at the University of Toronto have described the first experimental proof of a quantum decoy technique to encrypt data over fiberoptic cable. Also, researchers at IBM have found a way to extend a key chip-manufacturing process to generate smaller chip circuits. (MP3, 2:57 mins.)

Sun Patches 7 Critical Java Runtime Bugs
Gregg Keizer
Secunia labels JRE bugs "highly critical"; no word on possible exploits.

New Ada Standard on the Horizon
Jonathan Erickson
Robert Dewar explains some of the changes that the Ada 2005 standard will bring to the programming language. (MP3, 4:11 mins.)

Product Review: Standing Guard
Rick Wayne
Watchfire's complex security application can discover subtle vulnerabilities in your Web applications, letting you keep the script kiddies and malicious hackers at bay.

Infrastructure Management Institute Launched
Jonathan Erickson
Tim Ferguson explains the goals of the recently launched Infrastructure Management Institute. (MP3, 4:41 mins.)

Application Security by Design
Jonathan Erickson
In this webcast: Explore creative and contextual ways to think about software development; Learn best practices for the creation of secure code; Develop a new understanding of the engineering processes required to write robust and secure applications

Special Guide—DRM and Software Activation Tools: Protect Your Data, Enforce Your Licenses
Mike Riley
Love it or hate it, digital rights management and software activation continue to permeate commercial software. Here, we sample several selections solely on technical merit—leaving the pros and cons to the pundits.

SSH Kerberos Authentication Using GSSAPI and SSPI
Glen Matthews
Kerberos authentication can be an effective safeguard against man-in-the-middle attacks. Glen implements Kerberos by way of two popular APIs.

Validating C and C++ for Safety and Security
Robert C. Seacord
Sometimes the only way to track down security flaws such as buffer overflows is to roll up your sleeves and manually review the code. Robert outlines a process for manual review that's based on Safe-Secure C/C++.

News & Views
DDJ Staff
February 2006 News & Views.

Beware of Sony's DRM
Jerry Pournelle
Beware of Sony's Digital Rights Management (DRM) scheme, which covertly installs itself.

Security: Shifts In Intruder Behavior
Jonathan Erickson
Security expert Erik Caso reports on major shifts in the behavior and targets of online intruders. (MP3, 4:09 mins.)

Who Do You Trust?
Ed Nisley
Trusted computing means that you have to trust someone, somewhere. But can you?

Computer Theft: A Growing Problem
Jonathan Erickson
Biometric and computer security expert Greg Chevalier discusses the growing problem of mobile computer theft, and what you can do to combat it. (MP3, 7:15 mins.)

WSE 3.0: Focusing on Security
Jonathan Erickson
Ari Bixhorn, Director of Web Services Strategy for Microsoft, describes some of Web Services Enhancements 3.0's new features. (MP3, 4:02 mins.)

Wide-Character Format String Vulnerabilities
Robert C. Seacord
Robert presents strategies for handling format string vulnerabilities in C.

Homeland Security and Other So-Called Solutions: A Conversation with Bruce Schneier
Alexandra Weber Morales
Cryptographer and consultant Bruce Schneier will discuss his five-step process for dissecting security solutions, and then apply that analysis to the FAA’s Computer-Assisted Passenger Profiling System, national ID cards, FBI and CIA-level data collection and mining, Terrorist Information Analysis, e-voting and the Department of Homeland Security itself.

Static Analysis, Security Holes, & Networking Code
Andy Chou
Static analysis, which examines source code at compile time, is an effective tool for spotting security flaws. However, scaling it to large codebases is a challenge.

Are Standards Enough for Web Services Security?
Jeremy Epstein
The set of Web services standards seems to grow by the day. But if a Web services implementation supports all of these standards, is it necessarily secure?

Protecting Privileged Information on the Web
Jonathan Erickson
Breach Security's Marc Shinbrood talks about new approaches to preventing identity theft and protecting e-commerce on the Web. (MP3 audio, 5:00 mins)

Inside the SmartDongle USB Security Key
Joel Gyllenskog
Joel lifts the hood on his USB security key.

Reestablishing Trust in the Web
Amir Herzberg, Ahmad Jbara
The TrustBar browser extension provides improved security, identification, and trust indicators.

Preventing Piracy While Preserving Privacy
Michael Rabin, Dennis E. Shasha
The security approach presented here is a privacy-preserving, flexible, antipiracy solution that does not suffer from "Break Once, Run Everywhere."

Dr. Dobb's Journal October 2005
Jonathan Erickson
Computer Security (8.8 MB)

PDC 2005: Wrap Up
Jerry Pournelle
Jerry is secure in knowing that this year's party is over.

The Role of Hardware in Exposing Security Breaches
Vadim Paretsky
Far too often, security is considered solely a software problem. However, hardware can also expose systems to security breaches.

The 7 Touchpoints of Secure Software
Gary McGraw
Just as you can't test quality into software, you can't bolt security features onto code and expect it to become hack-proof. Security must be built in throughout the application development lifecycle.

False Protection
Laurie O'Connell
We count on firewalls and antivirus tools to keep our industry afloat. What if the cure is worse than the disease?

.NET--The Decompiler Will Get You
Michael Zunke
Tools that maximize ROI while protecting intellectual property are critical. So how can you secure your IP and prevent illegal use?

More on Investigating Software and Source Code Theft
Jason Coombs
With modern development tools, it’s theoretically possible to create an application without writing a single line of code. Nonetheless, the end product can still express an original idea. Software intellectual property begins where creative effort begins, and it ends where creative effort ends.

Multi-Cultural Name Recognition
Jonathan Erickson
Jack Hermansen, co-founder and CEO of Language Analysis Systems, describes the special requirements of multi-cultural name recognition software. (MP3 audio)

Deadline: Phishing Follies
Laurie O'Connell, Luke Hohmann
Hook, line and sinker: There’s one born every minute. Also, this month’s Feature Funhouse says, “Give them a Jacuzzi!” and Amazon offers top tomes on wireless technology.

Investigating Software and Source-Code Theft

In order to protect intellectual property, you must first be able to define what the property is.

Win32 API Obscurity for I/O Blocking and Intrusion Prevention
Jason Coombs
Obscurity adds security, at least when it comes to intrusion prevention. This demo Win32 API blocker obfuscates Win32 calls as a defense against unauthorized access.

Securing the Win32 File I/O APIs
Jason Coombs
By creating an I/O firebreak with alternative custom API calls, your Windows boxes become impervious to attackers trying to exploit the standard Win32 APIs.

An Enigmatic Memorial
Simon Cozens
Simon marks the 51st anniversary of the death of Alan Turing by simulating, in Perl, the German military's infamous Enigma encryption device, which Turing was instrumental in cracking.

A Metacode Standard for Rootkit and Intrusion Prevention
Jason Coombs
Rootkit intrusions are designed to cover their tracks, but if programmers could use metacode to tell the OS what they expect their code to do in advance, it could make unwelcome code easier to detect.

Security Remeasured
Ed Nisley
Why SpeedPass might result in a lot of stolen gasoline.

Security-Hardening Third-Party Applications
Jason Coombs
The most important information security question is how to security-harden third-party applications. Whether we have access to the source code or not, an application that comes from a third-party developer or independent software vendor is typically far too complex to understand its vulnerabilities easily.

Wiping Out Sensitive Data
Jason Coombs
Deleting files doesn't mean they're erased. Here's a .NET class that wipes a file by writing zeros in place of each byte of allocated space prior to calling the regular file-deletion API.

Programmer's Book Review
Miles Thibault, Gregory V. Wilson
This month we look at Pragmatic Project Automation: How to Build, Deploy, and Monitor Java Apps, by Mike Clark; and Java Cryptography Extensions: Practical Guide for Programmer, by Jason Weiss.

Shake 'n' Break
Rick Wayne
Appease your inner de Sade with Compuware’s two new DevPartner tools, debug your Web app with Spline, and get the message with FioranoMQ 8.0. Also, Parasoft releases a fresh Jtest, with automatic JUnit test-case generation.

Understanding Oracle Attacks on Information Services
Jason Coombs
An oracle attack analyzes each interaction with a system to extract hidden data or implementation details. Defending against oracle attacks is easy -- but only if you see vulnerability in the first place.

Scripted Screen Capture
Jason Coombs
With the Windows Media Encoder SDK's automation-compliant objects and interfaces, you can write a Visual Basic Script to configure and control capture sessions.

Scripting Patch Deployment with WUA API
Jason Coombs
Perform patch updates from the command line using VBScript and the Windows Update Agent API—no Internet Explorer required

Practical Secure Port Knocking
John Graham-Cumming
Using port knocking, you can increase security by leaving sensitive network ports closed until they are opened with a secret "knock."

E-Voting Code Vault Established
Shannon Cochran
"In an effort to increase the integrity of next week's presidential election, five voting machine makers agreed for the first time to submit their software programs to the National Software Reference Library for safekeeping, federal officials said on Tuesday. The stored software will serve as a comparison tool for election officials should they need to determine whether anyone tampered with programs installed on voting equipment."

Protecting RAM Secrets with Address Windowing Extensions
Jason Coombs
By letting you manage physical memory directly in your code, AWE can prevent Windows from swapping sensitive data from RAM to pagefile

Sensitive Data & the .NET Crypto API
David B. Scofield, Eric Bergman-Terrell
Properly used, the .NET Cryptography API is an effective way to safeguard sensitive data.

Beware of File-Slack Attacks
Jason Coombs
Carving ambient data out of unallocated clusters is unfortunately all too easy with just a few high-level API calls. Wiping your drive's free space is the only way to ensure that old, possibly sensitive, data can't be stolen

Digital Rights Management
Jerry Pournelle
Is DRM bad for society?

The SecureScout Wi-Fi Security & Monitoring Framework
Michael Larson
The SecureScout framework lets you monitor attacks on Wi-Fi (802.11) wireless networks.

Secure Web Forms & Struts Extensions
Hari Gopal
Web forms with digital signatures provide a secure way to meet the authentication requirements of e-commerce apps.

A Conversation with Avi Rubin
Jack J. Woehr
DDJ contributing editor Jack Woehr talks to Avi Rubin, the world's leading authority on electronic voting and software engineering.

Spyware Exploits the Run Key—and the Law
Jason Coombs
Spyware often exploits the Run key in the Windows registry to skirt around security software. Even worse, the proposed antispyware legislation may do nothing to stop it. Here’s a solution that removes the Run key entirely while keeping your Windows machine running smoothly

Security is a Service, Not a Product
Jason Coombs
Computer security is not a static challenge--neither is the solution. Software needs to be designed around forensic services for security monitoring and proactive defenses

Webcam Worm Makes Spying Eyes
Shannon Cochran
The Rbot.gr worm, which targets the same Windows vulnerabilities as MSBlast and Sasser, can hijack webcams.

Solving the Malicious Content Problem
Jason Coombs
Security news is in no short supply this month -- from the release of WinXP SP2 to security vulnerabilities in AOL Instant Messenger and the open-source LIBPNG library

Tales of the Cyberterrorists
Rick Wayne
Wanna buy a continent? A new book tells you how. Also, @Stake's SmartRisk lets you get down to binary, Rally ramps up your agile apps, and Zend's WinEnabler runs PHP outside your Web server.

RFID Blocker Tags
Burt Kaliski
Blocker tags let you choose when, where, and what RFID devices are tracking you.

Runtime Call Stack Analysis with .NET
Jason Coombs
Profiling the call stack helps you spot expected behavior early on. The .NET Framework’s System.Diagnostics classes make it possible

The Intractable Screen Scraping Paradox
Jason Coombs
Does providing web access to your data have to mean surrendering control over its use?

When Format Strings Attack!
Herbert H. Thompson, James A. Whittaker
Format-string vulnerabilities happen when you fail to specify how user data will be formatted.

HTTP Response Splitting
Amit Klein, Steve Orrin
HTTP Response Splitting is a powerful new attack technique that enables other attacks.

Programmer Defects as a Proactive Defense
Jason Coombs
No matter how bulletproof you make your code, you can never guarantee its security completely. Declaring that up front is the first step toward better software security

String-Based Attacks Demystified
Herbert H. Thompson, James A. Whittaker
Far too often, programmers trust string input without checking it for validity. That's foolish.

Security & Palm OS 5.x
Michael Yam
Michael presents techniques for using masked records and encrypting/decrypting data on the Palm OS 5.x platform.

The Secure Shell Game
Glen Matthews
Glen examines the SSH protocol and shows how it can be implemented.

From CSI to DHS: Data Tools
Amit Asaravala
Straight from CBS's hit forensics series come these methods of detecting patterns and clues that might otherwise stay buried in databases and documents. Here are a few dozen solutions for data gathering, integration, mining and analysis.

Connecting the Dots
Jesus Mena
Homeland security authorities are mobilizing to better predict and react to acts of terrorism or other disasters. A raft of existing data integration and mining tools can accomplish much of this new mission, and could inspire innovation similar to the Internet boom.

Orange Alert Books
Alexandra Weber Morales
Though you could fill a shelf with new releases claiming to reveal the inner workings of the U.S. government's post-9/11 security machine, these two are among the few actually worth perusing—that is, if you're interested in policy.

Encrypting Web Pages On a Server
Craig Riter
If a file can be accessed by the web server, then anyone on the server to view the file. Here's a script that will read the file in, encrypt the data, and save the file on the server. The script also decrypts the file, given the correct passphrase, and sends the file to the browser.

Software--The Root of the Problem
Rosalyn Lum, Rick Wayne
Step up on security with two new tomes, hop on the platform bandwagon with SlickEdit Studio and grab a discount on Motion Computing’s Tablet PC bundle. Also, Eclipse gets a new WYSIWYG GUI builder, and Mr. T. goes way, way wireless.

WinXP SP 2 Process and Port Hardening
Jason Coombs
The “shielded mode” security settings in the upcoming Windows XP Service Pack 2 will provide the best level of safety for your machine

Understanding the Arts of the Adversary
Herbert H. Thompson, James A. Whittaker
Securing your software requires that you understand the techniques of potential attackers.

Windows Stack Buffer Overflow Protection
Jason Coombs
Using a canary and Visual C++ 7.0’s /GS compiler option can help detect security compromises

Programming Public Key CryptoStreams, Part 2
Jason Coombs
PKEncrypt applies the RSA public key encryption algorithm to the task of file encryption using IO streams

Transaction Processing
Charles Curley
Transaction processing ensures data integrity in the face of catastrophic failure.

The Business Case for Software Security
Herbert H. Thompson, James A. Whittaker
Is it possible to make a business case for software security?

Security & PseudoRandom Number Generators
Ben Laurie
When it comes to security, weak randomness is sometimes better than strong randomness.

Encryption Using Crypt::CBC
Julius C. Duque
Lincoln Stein's Crypt::CBC module is a pure Perl implementation of Cipher Block Chaining. I'll illustrate how Crypt::CBC works in two Perl scripts. The first, khazad, shows how to encrypt simple messages. The second illustrates the use of Serpent, a 128-bit block cipher that uses a 128-bit key.

Programming Public Key CryptoStreams, Part 1
Jason Coombs
A look at symmetric and asymmetric cryptography, and creating and managing cryptographic keys

Rethinking Software Security
James A. Whittaker, Herbert H. Thompson
In the first installment of this series on security, our authors argue that security is now a business case.

Packet Sniffing for Incident Response
Jason Coombs
Rapid recovery from a hack is important, but so is finding and closing the security hole. Windows XP’s Network Monitor generates a complete log of all of your network traffic to help identify and repair security flaws

Programmer's Book Review
Jack Woehr, Gregory V. Wilson
Jack examines Linux on the Mainframe, Practical Unix & Internet Security, Third Edition, and the new edition of Stevens' classic Unix Network Programming, Volume 1: The Socket Networking API.

Detecting Man in the Middle Attacks with DNS
Jason Coombs
Build a dynamic URL generator in C# that singles out MITM attackers by detecting multiple IP address mismatches originating from the same IP address

Acrobatic Elegance
Larry O'Brien
Adobe's versatile—and increasingly ubiquitous—Portable Document Format has a flexibility and grace all its own, but lacks solid security restrictions and isn't yet developer-friendly.

More on Hash Codes and Security
Jason Coombs
A reader’s tale of building a “bootstrapping loader” inspires a discussion of the challenges of creating tamper-proof software

Forensic Data Validation and Integrity Logging
Jason Coombs
Is it possible to get “Data in, Garbage Out” without knowing it? It is—unless your system provides an automated way of verifying the integrity of its data

Counterfeit Software, Digital Rights Management, and Security
Jason Coombs
Some proposed security technologies could negatively impact your privacy rights

Antivirus Software Turned Upside Down
Jason Coombs
Rather than keeping track of known, bad software, what if your system only allowed known, safe software to run? Here's a simple control to verify approved software for execution.

Building a Database of Known Hashes
Jason Coombs
Assembling forensic hash sets of code and other installed files is the most important security precaution

HDTV & Broadcast Flags
Linden DeCarmo
The Redistribution Control Descriptor, commonly referred to as the "broadcast flag," is the controversial copy-protection and file-sharing technique some in the HDTV industry want to mandate.

SAML & Single Sign-On
S. Srivatsa Swan
Single Sign-On systems authenticate users once, then authorize or reject them across multiple services. Sivan implements Single Sign-On using the Security Assertions Markup Language (SAML).

Helix: Fast Encryption & Authentication
Niels Ferguson, Bruce Schneier
Helix lets you perform both encryption and authentication—and does so fast! In fact, Helix appears to be twice as fast as AES.

Red-Team Application Security Testing
Herbert H. Thompson, Scott G. Chase
Red-team security testing demands focused application security testing that is independent of the development group and usually falls outside normal application-testing channels.

Hiding in Plain Site
Eric Cole
Download a PDF sample chapter from Hiding in Plain Site, by Eric Cole,
Chapter 6, "Nuts and Bolts of Steganography"

Practical Cryptography
Niels Ferguson, Bruce Schneier
Download a PDF of sample chapters from Practical Cryptography, by Niels Ferguson and Bruce Schneier.
Chapter 11, "Primes";
Chapter 12, "Diffie-Hellman"
From the authors' preface: "Practical Cryptography is our attempt to bridge the gap between the promise of cryptography and the reality of cryptography. It’s our attempt to teach engineers how to use cryptography to increase security."

Hash Codes and Security
Jason Coombs
Using forensic hash sets for information security or legal forensics