Deepak (Moderator):
Today's Chat is going to revolve around Security Basics.
Deepak (Moderator):
And to share with us their valuable knowledge, we have four experts
Deepak (Moderator):
Sasidhar V., SDET, Connected Services Framework Team - IDC
Sivakumar A., SDET, Communicator Mobile Team - IDC.
Sravanthi Andhavarapu, Software Design Engineer/Test, IDC WinFS
team.
Arun Mehta, SDET, SQL Mobile Team.
Deepak (Moderator):
Let us begin with a brief of our experts
Deepak (Moderator):
Sasi has been working in Microsoft for nearly 3 years. He has worked
on projects like MSN Toolbar, Excel Mobile, Information Rights
Management and now on My Mobile Media.
Deepak (Moderator):
Siva has been here in Microsoft for the past 1+ year working with
the Communicator Mobile team.
He is primarily responsible for Security in the team. His primary
interest is on buffer overruns
Deepak (Moderator):
Sravanthi Andhavarapu did bachelors in Computer Science Engineering
from NIT Warangal and joined Oracle Corporation as an Applications
Engineer and after a year at Oracle, joined Microsoft. Here at
Microsoft Sravanthi have been working close to a year in WinFS team
and is part of the Security focus group in Microsoft which aims to
spread the importance of security in software systems both internal
and external to Microsoft.
Deepak (Moderator):
Arun works on the SQL Mobile storage engine component. He has been
with MS for 1 and a half years.
Deepak (Moderator):
Before I formally welcome our experts, some basic information for
all
Deepak (Moderator):
As guests, when you wish to ask the experts a question, make sure
you check the radio button that says Ask the Experts.
Deepak (Moderator):
Only then will the Experts be able to answer the questions.
Deepak (Moderator):
In the interest of time, please do make sure that your questions are
crisp and concise so that the experts may be able to address the
exact point.
Deepak (Moderator):
This session will go on for an hour starting now.
Deepak (Moderator):
And remember, this time three lucky attendees will get surprise
gifts from Microsoft.
Deepak (Moderator):
So, now let me formally invite the Experts into the Chat
Deepak (Moderator):
Good evening experts!
Deepak (Moderator):
And the questions may begin now.
Deepak (Moderator):
Just to reiterate, guests may please check the radio button next to
Ask the Experts and then shoot the question.
Sravanthi (Expert):
Q: can someone please elaborate on what MSFP entails & the benefits
thereof
A: It stands for Messaging and Security Feature Pack . You can find
more details for it at
http://www.microsoft.com/windowsmobile/business/5/default.mspx
Sivakumar GA (Expert):
Q: Security is a word which is used everywhere in this modern era.
But I can still find that there are so many people who are hacking
and cracking softwares. Then what’s the security issue all about??
A: The objective is to make engineers aware of the security issues
so that we can build a safer world.
Sasidhar V (Expert):
Q: Besides input validation, what other security best practices can
I adopt as a developer, which would have an immediate impact on the
security of my code base?
A: Input validation is some thing which you need to handle in your
code implementation. There are many other static tools like
appverifier, prefast, fxcop, BadAPI and Threat Modeling which you
can run on your code which identifies basic security flaws in your
code
Sivakumar GA (Expert):
Q: Can some one please give some details about Network
Authentication in Mobile Devices?
A: Please elaborate more on this.
Sasidhar V (Expert):
Q: From the asp.net security model, I want to know about
"impersonation" in a simple way. Please?
A: When using impersonation, ASP.NET applications can optionally
execute with the identity of the client on whose behalf they are
operating. The usual reason for doing this is to avoid dealing with
authentication and authorization issues in the ASP.NET application
code. Please have a look at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsent7/html/vxconimpersonation.asp
Arun Mehta (Expert):
Q: More than the engineers being aware about the security issues,
they earn more when they use it in the wrong sense such as hacking,
etc. So, how can we stop this?
A: We can stop this by being aware of all possible security issues
and by designing our code in such a way that it’s devoid of these
issues. Attackers can hack into your code by exploiting issues like
buffer, heap and stack overflows, SQL Injection, Elevation of
Privilege, Integer overflows, etc. There are a few dev best
practices that we can adopt during design and development time. One
such best practice is Threat Modeling.
Sivakumar GA (Expert):
Q: Like how can I access VPNs and Remote access as well what
protocols are used?
A: Windows mobile devices allow connectivity over WiFi and ethernet
- the support is dependent on the capabilities of the device. Over a
Wifi n/w the user can be authenticated using a personal certificate.
Sasidhar V (Expert):
Q: What are the security issues specific to development on a mobile
device?
A: On Smartphone, we already have security model where trusted apps
can into system resources and untrusted cannot. But the scope is in
hands of telecom operator.
Sravanthi (Expert):
Q: Yeah..Interseting.Can you please briefly explain about threat
modeling?
A: A threat model is a security based analysis that helps people
determine the security risks posed to the product and how attacks
can manifest themselves
Sivakumar GA (Expert):
Q: Can I do certificate revocation in mobile devices, if yes how?
A: A certificate needs to be revoked on the certification authority.
If the specific certificate is used in a mobile device, when the OS
checks for the certificate revocation status of this cert, it will
identify that this is revoked.
Sasidhar V (Expert):
Q: When we have to build code for such small footprint devices,
where resources are already scare, who cares about security??
A: You can have your private stuff like credentials like what you
have on desktop machines. Security is important everywhere even on
small devices.
Sravanthi (Expert):
Q: Yeah..interseting. Can you please briefly explain about threat
modeling?
A: It involves the following steps: 1. Assemble the threat-modeling
team 2. Decompose the application 3. Determine the threats to the
system 4. Rank the threats by decreasing risk 5. Choose how to
respond to the threats 6. Choose techniques to mitigate threats
Arun Mehta (Expert):
Q: Is Datablocks are well proven for "sql injection-proof" ?
A: Attackers will find it difficult to SQL-Inject code written using
DataBlocks. However, the onus still lies with us programmers to use
Datablocks in a secure way.
Sasidhar V (Expert):
Q: Windows Mobile devices are shipped by OEM with default security
settings. flexibility of the Windows Mobile-based device security
model enables Mobile Operators to changes to security settings. Where
is the developer in the picture ??
A: True. Most of the 3rd party applications run on the Mobile
devices. Though they run with less privilege (untrusted), its
Developer who is doing all this. But, to make sure that they don't
screw up system resources, we restrict them to system resources
Deepak (Moderator):
We have the last 30 minutes to go!
Sivakumar GA (Expert):
Q: Pocket PC has no default Certification Authority root
certificates whereas Smartphone is delivered with default
Certification Authority root certificates .Why is this ??
A: We do have default Root CA certs in a pocket PC also.
Sravanthi (Expert):
Q: Thanks Experts .Can you please tell us how to determine the
threats in my .NET application and techniques to mitigate threat?
A: To determine the threats decompose your application using data
flow diagrams.
For each component determine the threats by asking questions like
can someone deny valid users service, can untrusted users modify
data etc
Arun Mehta (Expert):
Q: we can't even have a Pocket PC check signatures for application
installation
A: Pocket PC checks for digital signatures during application
installation. The default behavior would be "Warn", i.e., the user
is given a warning saying that the application is from an untrusted
source and based on the user's response, the app installation would
either proceed or be aborted. However, this default behavior can be
changed.
Sasidhar V (Expert):
Q: Sasi, on the telecom provider dependency on the mobile security,
would I need to get certs from lets say a Hutch or a Reliance? Would
I need to do it for every single mobile operator, coz who knows
which provider my customer uses
A: No, these will be taken care by OEMs
Sravanthi (Expert):
Q: Thanks Experts .Can you please tell us how to determine the
threats in my .NET application and techniques to mitigate threat?
A: You can classify your threats into STRIDE (S-Spoofing Identity
T-Tampering with Data R-Repudiation I-Information disclosure
D-Denial of Service E-Elevation of privilege) categories
Sasidhar V (Expert):
Q: why can't the Windows CE or Windows Mobile affected by the
Blaster Worm or known desktop viruses. to date how many mobile
viruses have been detected ??
A: The architecture is different
Arun Mehta (Expert):
Q: Through methods like steganography, cryptography etc. techniques
I can encrypt other files into files like mp3,jpg etc. I can encrypt
my secret messages into known formats, without disturbing the
quality of the mp3, jpg files. Isn’t this a security issue?
A: Putting a signature into an mp3, jpg file without disturbing the
file quality is used in a well known technique called "digital
watermarking". As long as you use this technique on your files, it
isn't a security issue. If you use this on someone else’s files it
becomes a legal issue.
Sasidhar V (Expert):
Q: Is SafeCRT standard C++?
A: The Safe CRT Libraries are an overhaul of the standard C and C++
libraries. These Libraries does buffer checks to functions known to
be vulnerable to attack and to depreciate vulnerable runtime
function.
These changes affect all of the major programming libraries
including the C Runtime Library (CRT), the Standard C++ Library (SCL),
the Microsoft Foundation Classes (MFC), and the Active Template
Library (ATL).
Arun Mehta (Expert):
Q: Remote access by the mobile device, such as using the Internet,
exposes the device to all known forms of attack and interception.
What's the fundamental way to guard against these threats
particularly WAP security??
A: That's true. Internet facing code running on mobile devices can
expose the device to some well-known attacks, if they are not
properly coded. There are several techniques that we can use to
guard ourselves against potential threats introduced by internet
facing code. One technique which can be used to guard against buffer
overflows is compiling the code with /GS flag set.
Sivakumar GA (Expert):
Q: Is CAS (coded access security) is about restricting the .net
assemblies from accessing the systems resources? or some thing else
about?
A: Yes. CAS provides a way for not allowing untrusted code to
perform privileged operations.
Sasidhar V (Expert):
Q: Hi does windows mobile 5 support Security Service Providers? If
yes then can you elaborate on what SSP are supported?
A: These are some of the SSPs which Windows Mobile 5 supports. More
secure caching of Security Support Provider (SSP) credentials,
Credential caching for multiple targets and Modification of
applications to use Credential Manager APIs
Sivakumar GA (Expert):
Q: How can I configure Security Policies in my smart phone?
A: Typically you will not be allowed to modify the security policies
on your Smartphone. You need to be working with your mobile operator
to do this if required. You can go thru the articles on
configuration service providers for windows mobile phones on MSDN
for more information on this.
Arun Mehta (Expert):
Q: [Q 29] Its not digital watermarking. We can change some parts of
the coding inside the mp3 and encode them with text files etc. Or
even if it’s some other person's file, then how do you propose to
solve that issue??
A: Okay, so you are talking about a security issue called "File
Fuzzing". Attackers use these attacks against any file-parsing code
(e.g., file editors etc). In this case, the attacker will modify the
data portion of the files (keeping the header intact) and then cause
the application to behave erratically. A typical way to guard
ourselves against such attacks is to test your file-parsing code
with as many interesting fuzzed files as possible.
Sasidhar V (Expert):
Q: At one of the session I have also come across SSP?
A: This stands for Security Support provider. OS supports some
features like Credential manager, NTLM, and Security Protocols.
Please go through
http://www.windowsitlibrary.com/Content/617/06/1.html
Sivakumar GA (Expert):
Q: How does the RAPI policy that is enforced for ActiveSync
operations help protect against application-level threats??
A: This would control to what extent the applications can modify the
settings on the device. You do not want any rough application to
modify/lower the security on your device.
Deepak (Moderator):
We have another 10 minutes to go.
Deepak (Moderator):
Last five minutes to go before we end this Chat.
Sivakumar GA (Expert):
Q: assigned to the RAPI call. Then you once again check against the
metabase to determine whether the change is permitted??
A: Since the ability to do provisioning is limited to operators,
this scenario should not arise.
Deepak (Moderator):
We have 2 minutes to go
Deepak (Moderator):
Could the experts please take their last questions for this session?
Deepak (Moderator):
Time's up folks!
Sravanthi (Expert):
Q: The Microsoft Threat Analysis & Modeling v2.0 operates only in
Windows XP or higher. Then how can we do the analysis in systems
which use Win 98, 2000 or ME?
A: You can still analyze your application design, data flow etc
manually and determine the threats and create a threat modeling
document
Deepak (Moderator):
The experts could direct the audience to their mail IDs in case they
which to take it up later
Arun Mehta (Expert):
Q: Experts, can you please brief on perimeter Security?
A: Perimeter security refers to securing resources like firewalls,
VPN devices, DMZs, etc
Deepak (Moderator):
Before we end the Chat, let me announce the three lucky winners of
today's Chat.
Deepak (Moderator):
And they would be...
Sivakumar GA (Expert):
Thanks everyone. It was really nice chatting with you...
Deepak (Moderator):
ultimate_linker
Deepak (Moderator):
Kri
Deepak (Moderator):
and
Deepak (Moderator):
HaiKanagu
Sravanthi (Expert):
Q: Could you suggest me the good book on dot net security model in
market?
A: This book provides good basics for all security related issues
(also for threat modeling)
Writing Secure Code, Second Edition, Michael Howard and David
LeBlanc""
Deepak (Moderator):
Could the lucky three please write to me at
v-deraje@microsoft.com
to claim their prizes
Arun Mehta (Expert):
Thanks guys. Hope sessions like these help you develop secure
applications.
Deepak (Moderator):
A heartfelt thanks to all the Experts for the great support!
Sasidhar V (Expert):
Thanks Guys. It was very nice talking to you all. Let’s make our
products secured... For any issues, you can reach me on
sasiv@microsoft.com
Deepak (Moderator):
Thanks for taking time off your busy schedules and spending your
time with us
Deepak (Moderator):
Looking forward to having more such interesting sessions in the
future
Sravanthi (Expert):
Thanks to all the guys for their enthusiastic response to this web
chat. You can mail me at srandhav@microsoft.com for any specific
issues
Deepak (Moderator):
Thanks to all the guests for the day, too!
Deepak (Moderator):
You were a great audience!
Deepak (Moderator):
Please do take part in our Chat sessions in future too.
