Category Archives: General

General, Security

Ann: AntiCSRF – Cross Site Request Forgery protection

Microsoft Developer Security MVP, Barry Dorrans has been busy preparing content for his Wrox Press book and in doing so has developed a Cross Site Request Forgery HTTP Module.

AntiCSRF slots into your web application and takes the worries away. The module automatically takes care of token generation and checking for every page on your web site, assuming it inherits from System.Web.Page and contains an ASP.NET form.

It’s worth reading Barry’s original announcement/blog post, it has some further information.

Technorati Tags: , , ,

General

NxtGenUG Podcasts!

NxtGenUG have published some of their podcasts from the Microsoft PDC 2008!

The One With The Ticket, The Witch and the Wardrobe…
Enter a show beyond your imagination, or in this case beyond Richie’s smalls. Yes, the Costall has a magic cupboard and he and Dave embark on an adventure which takes them to PDC Los Angeles 2008. However it turns out to be a very a short adventure when they get chucked out by an over zealous security guard! It’s a good job that NxtGenUG Coordinators John McLouglin and Chris Hay save the day by recording a series of fantastic interviews with such notables as Chris Anderson and Don Box who talk about ‘Oslo’ and ‘M’. Listen on…
Chris Anderson and Don Box

The One With Ass The Experts…
Meanwhile back at PDC, John and Chris don’t seem to know their Ass from their elbows (a career in marketing could be an option?), as the drink gets to them… Still the show is saved by some great content on Silverlight Controls from Shaun Burke and about PDC organisation from Mike Swanson and none other than ex-UK DPE Tim Sneath. Perhaps John and Chris might have sobered up by Part 3…?
Tim Sneath and Mike Swanson

Technorati Tags: , , , , , ,

Rants

Sky+ built-in COPY failed during November, Star Trek DVD mountain!

5 Comments

[As quoted in the Guardian SKY HASSLES: http://www.guardian.co.uk/technology/blog/2008/dec/14/technology-letters-blogs-full]

If you caught my tweets last month, you may have noticed that I noted that my Sky+ box was generating copy protection signals preventing my DVD recorder from recording the episodes of Star Trek from Virgin One and Bravo. Without going into huge amounts of detail, I figured that any time a “What’s on next” caption appeared and occasionally during advert breaks, a Macrovision-like signal was issued causing my DVD recorder to stop recording.

Whatever you may be thinking, I believe that I am entitled to record these episodes for a number of reasons. Firstly, I don’t have time to watch them live – I have a day job, a wife and a kid, time is in short supply. Secondly, the Sky+ hard drive is woefully small at 160GB, of which we get 80GB of personal space, whoopee (yes, I will be doing something about that later). Thirdly, I am simply recording what I would have watched anyway, I’m not recording it to keep per say…I’m happy to buy the DVD boxed set for that. And to be honest, Star Trek is *all* that I watch via Sky, all other programmes I could get via Freeview (if we had a decent signal where I live, moot point).

Courtesy of Liam Westley, today’s copy of the Guardian carried this article by George Cole. Sky could be so good for you…I don’t think so (sorry, couldn’t resist that, Gary!) This explains a lot.

In my humble opinion this is a huge FAIL for Sky. I had even gone to the lengths of buying one of these cables in order to normalise the signal from the Sky+ box to the DVD recorder. Sadly that cable failed miserably, dead on arrival…now I’m embroiled in the returns and refund process, more hassle…all thanks to Sky.

I will of course be testing the COPY feature again this month. However in the meantime, I have some 20+ episodes of Deep Space Nine to catch up on…and I can’t dump them to DVD as I have been doing most nights for the last 8-9 months. Yes, I do have 100+ DVDs chock full of Star Trek to catch up on!

Technorati Tags: , , , , , , , ,

Developer Events, Development, Project Management, Scrum

[Event] AgileMalta – 5th December 2008

1 Comment

I’m pleased to see AgileMalta running its second conference. I have a soft spot for Malta having essentially lived there on and off for many years. It has probably changed a lot, but I still like to think I know Malta and Gozo almost as well as I know the back of my hand. I can’t think of a better mix, the islands of Malta, Gozo and Comino, their people and an agile development conference…

What: Talks given by people who have had a hands-on experience with Agile with international clients. The Key Note speaker is Joakim Ohlrogge. Local speakers are two local persons who actively participate in Agile projects, Aldo Cauchi Savona and Dave Sammut.
Date: Friday, December 5th 2008
Location: Hilton Hotel, St. Julians
Duration: Half-day conference
Price: T.B.A.

Further details can be found here:
http://www.agilemalta.com/events/agile-conference-december-2008/

Overview:
Success in today’s software industry requires a process, an environment and people that are able to achieve business goals within tighter deadlines, without compromising quality or reducing employee moral. Your process needs to be able to be attractive to foreign investment, your employees need the skills to deliver and sustain the process.

Whether you are interested in Agile or seeing how you can improve your own development process, the AgileMalta Conference is a great opportunity for people at all levels to gather together to learn about and share experiences on Agile software development process.

In our first conference we provided talks and discussion sessions for people at all levels to come into contact and learn about Agile. In the upcoming conference we will build upon feedback from the 1st conference and from our website. We decided to provide you with talks on implementing Agile and dealing with common issues when using such a process.

Join the AgileMalta Facebook group here!

Technorati Tags: , , , , , ,

On blogging, Opinion, Security

Passwords alone, are not enough. Even if they were, are they hard to break?

9 Comments

[As quoted in the Guardian: http://www.guardian.co.uk/technology/blog/2008/nov/23/technology-letters-blogs]

Relying on a single password for more than one purpose, e.g. logging on to your web-mail, instant messaging service, Facebook, Bebo, etc. is probably very commonplace.  Indeed, exposés such as Twitterank, and even it’s parody site TwitterAwesomeness, highlight the ease at which folks will essentially surrender their username and passwords.  Twitterank didn’t just catch the unsuspecting Internet user, they also caught a number of people who really should have known better. 

Sites that do need your Twitter username and password, such as BrightKite, use it in order to post tweets on your behalf.  In BrightKite’s case, it tweets each time you “check in” to their “where am I” service.  The check-in process involves you telling BrightKite where you are, it then sends out a Tweet telling the world.  Such sites make their intentions very clear in the Terms Of Use, Code of Conduct and Privacy pages. 

However, so did Twitterank. The site made it clear what it wanted you to believe it was doing with your username and password.  Even if you didn’t read the Twitterank terms of service or FAQ, it was embedded within the source code, as Barry Dorrans carefully points out.  The speed at which the Twitter population flocked to Twitterank suggests that were there any ulterior motives, the site would be well placed to exploit a significant portion of the Twitter accounts that it had opportunity to harvest.

Twitterank was different.  It relied on our instinctual want to graded or rank ourselves amongst our peers.  No matter how hard we try, we’re all competitive by nature.  We want to know where we stand/sit in relation to our peers.  Some services, such as Twitter Grader have managed to achieve this without the need for a Twitter password.  Granted there’s only so much Twitter Grader can do, however it’s a polite service that has introduced me to a number of Twitter users in Scotland – users that I may not have discovered.

There was little indication whether a Twitterank of 100 was good or bad.  Some users reported ranks of over 200, others, as we’ve seen already, received a rank of zero.  The mathematics behind the site were reported via a comment in this blog as being “Real Math(tm)” and were comparable in accuracy to Google’s PageRank mechanism.  I’m not a mathematician so I won’t be debunking any formula, algorithm or approaches.  Well, not just yet at least.  For Twitterank to have been useful, it would need to allow us to determine whether our rank was better or worse than other Twitterankers (there it is again, I do apologise).

Twitterank didn’t really try to hide its intentions, however because of the the site’s ease of use, instant gratification and rapid publicity, its uptake was huge (it trended TweetStats and Twitter Search, and at the time of writing, continues to do so – outdoing “Obama” and “James Bond”).  The publicity was part of what made it so popular – it sent out a Tweet announcing your Twitterank, including a link back to the site thus encouraging users to discover their own ranking.  In most cases, this would probably be fine, however spare a thought for the Twitter folks who received a ranking of zero – and there where many of them!  Indeed, many Twitterankers (can I really get away with saying that?  Too late now!) tweeted their dissatisfaction at their ranking. 

Amusingly, Twitterank’s creator (@ryochiji) reported on his Twitter feed that low rankers should try again tomorrow.  Oh, so that’s how it works – everybody’s Twitterank will improve over time, that’ll work, great system, yes?  Further information may be found on the Twitterank blog, assuming WordPress haven’t deemed it necessary to close it down.

It’s not all about gullible users though
This morning, at the time of writing, a few hours after Twitterank was exposed for the social experiment that it probably is (or was), saw me reading Bruce Schneier‘s Read me first column in the Technology section of The Guardian.  Bruce writes a great piece explaining how passwords don’t need to be broken per say, but that they are inherently easy to guess.

Without spoiling the article too much, assuming that you are going to read it, Bruce highlights our password selection techniques.  One such method, and one that is certainly very familiar to this writer in his corporate environment, is the keyword+appendage approach.  Users often take their child’s name, their dog’s name, etc. and add a numeric digit or two after the name, e.g. frank01 or rover12. 

Today’s processing power means that software can intelligently guess huge combinations of keyword+appendage passwords in a relative short and acceptable period of time.  Gone are the days when passwords would take days or weeks to crack.  If you need more convincing, think about how long it takes the average WiFi hacker to crack your wireless router/modem WEP encryption keys.  Or even your WPA encryption?

Bruce makes the suggestion of using a personal sentence as your password.  Not the sentence itself, but an obfuscated version of the sentence.  His example (yes I’m spoiling the original article, sorry) uses “This little piggy went to market” – it creates an obfuscated password of tlpWENT2m.  Such as password would take a significant amount of time to be guessed using processing power alone.  Just in case you were tempted, Bruce rightfully advises that we don’t use tlpWENT2m ourselves…oddly enough.

Increasing security, some options
With the ease at which Twitterank coaxed visitors into typing in their username and password, it seems the days of the password as a single source of authentication are numbered.  We need to be considering more secure alternatives that involve “levels of authentication”.  Usablity is the key to widespread acceptance, any product in this space must be easy to use; its interface must be fundamental such that selection of a secure-level authentication token requires little more effort than offering a basic-level token. 

With Twitterank-like incidents becoming more common, I predict that during 2009 we will see the general acceptance and widespread uptake of such authentication mechanisms such as OpenID, and CardSpace (further reading here and here).  You should familiarise yourself with these mechanisms because major web-sites such as Yahoo are gradually introducing them as part of their login process.  Indeed, even the likes of Facebook, where you can be whoever you want to be, may have to succumb and implement a more secure user registration and identity verification process.

Beyond authentication into verification
Going beyond authentication, we need to consider verification, particularly of identity.  The internet has little in the way of process that can help us confirm an individual’s authenticity and identity – how do you know that the person your are tweeting with or Facebooking is the person they say they are?  Twitter had the great fake Sarah Silverman incident of October 2008.  Facebook has many impersonation cases, a few of which I discuss in elsewhere on this blog

Firms, such as NetIDme are well placed to take advantage of the needs of the authentication and identity verification marketplace.  Identity verification through NetIDme processes involves a combination of stages, if you’re in the UK or US they boast a 95% “automatic verification” rate. The remaining 5%, or if you are a child, requires some form of personal contact with the NetIDme team – whether it is a fax or a phone call.  However, prior to the personal contact, you are invited to provide such things as your Driving Licence Number, National Insurance number, Social Security Number or Passport number in order for third party checks to take place.  Obviously this is much more involved and potentially more invasive than a simple username/password combination. The fact we are now able to authenticate and verify who we are, including how old we are, is a key step forward in the growth and maturity of the Internet.

And finally…
At the time of writing Twitterank is still up and running, whilst there appears to be no malicious intent on the creator’s part, the whole debacle in the social engineering space has left a bitter taste in the mouths of many people.  I am sure that no ill intent was ever on the cards, however Twitterank has proven that everybody needs to think about their own on-line security and the implications of password surrender. 

Just think what might have happened to your Twitter feed? “Ah,” you say, “but it’s just my Twitter feed, I don’t really care if somebody hacks it and owns it.”  That’s fine, but a lot of users have a single password, and that is where the problem stems from.  Identity theft often starts from the smallest thing.  I have a colleague whose identity was stolen simply because she left her name on the door bell of her previous house. The house had been sold to a gentleman who then let / rented the house.  The new tenants used the knowledge of the previous owner’s name to start off the identity theft process.  It is that simple.

I’ll leave you with advice that is mentioned elsewhere in this blog:

  1. Don’t use the same password for social networking sites and services that are more important to you such as your on-line bank or your web-mail.  If your password is harvested, as Twitterank could have done, you may find yourself compromised in more than one way.
  2. Avoid simple passwords such as “password”, “itsasecret” or “letmein”.  Amazingly, during my university days somebody actually told me their password was “itsasecret”.  Indeed it was…I logged in and was later accused of cracking the said password.  A little trouble ensued but it was soon dropped when I explained that i had actually been given the password in the first place! 
  3. Consider “upping” your levels of security your OpenID – there are plenty of providers.  Yahoo, MyOpenID and NetIDme to name just a few.  Any progress in this direction, is good progress. Of course, you could always demand OpenID!

Safe and happy surfing!

Further reading:

Password security – even big names fail
Twitterank – celeb or peon? @t_rank

Opinion, Rants

How to Talk to (Geek)Girls Online…Etiquette (link through)

3 Comments

Via Twitter (@UMLGuy), I found myself reading a blog post by Dana Coffey (@crazeegeekchick)

Now, even if I wasn’t married, I wouldn’t dream of doing any of the crazy things that Dana mentions in her blog entry. It’s just not the done thing.

Take Dana’s rule of all rules as an example:

It never ceases to amaze me that men online feel perfectly comfortable asking me about my sexual proclivities or describing their own – and they don’t even know the color of my eyes.

Come guys, whoever you are, wherever you are: please take heed of Dana’s advice…you’re letting the side of decency down.

Here’s the full blog post: How to Talk to (Geek)Girls Online– Social Networking Etiquette

On blogging, Security

Cleaning up after the WordPresz 2.6.4 incident

4 Comments

As many of you are probably aware, earlier this week I noticed that my trusty WordPress blog was duping me into downloading and installing an essential security upgrade to version 2.6.4. At the time, I was running version 2.5.1. You’re possibly wondering why I had not already upgraded to an authentic WordPress 2.6.x release…I am after all, supposed to be setting an example. Well, a number of factors delayed the upgrade – most notably lots of travel and a few time-consuming home-life issues meant the upgrade was back-burner-ed. Via The Register, Sophos picked up on hack, classifying it as Troj/WPHack-A. I managed to record a short video of the dashboard hack, notice that I’m at WordPress 2.6.3…

That being said, a small part of me always prefers to wait a while before upgrading, i.e. I don’t like to upgrade immediately. If memory serves me, I recall a WordPress upgrade that caused me a few minor problems because I upgraded the moment it came out – it was soon followed by a further release. Anyway, I’m digressing.

Since Monday, I have upgraded to WordPress 2.6.3, twice. Naturally I used the definitive link for getting my hands on the 2.6.3 zip file. On both occasions the WordPresz 2.6.4 upgrade advice was still appearing in my dashboard. I’ve also been liaising with the good folks over at WordPress and have followed as much of their advice as I can at this stage. Huge thanks to the WordPress chaps for picking up on this issue – whilst it hasn’t affected me, I’m sure some folks have accidentally installed the fake 2.6.4 release.

My second install of 2.6.3 saw me cleaning out the various wp-admin, wp-includes, folders and then FTPing a fresh 2.6.3 set of files. I then started poking around in the WordPress database – table wp_options caught my attention. Themes tend to leave a lot of fingerprints in wp_options, as do a number of plug-ins. I cleaned out around about 40% of the wp_options records that were related to themes I no longer have installed.

After further searching, I found the field dashboard_widget_options:

As you can see, the WordPresz 2.6.4 injection text, or at least part of it, is in there. In order to remove it from my dashboard, I simply removed the entire contents of the dashboard_widget_options field, i.e. its content is empty – I did not delete the entire record. WordPress was kind enough to recreate the contents of this record.

Further poking around in wp_options revealed an RSS record: rss_412e29f6467d015b137ccc293b42bdff. Its contents were familiar:

O:9:”MagpieRSS”:17:{s:6:”parser”;i:0;s:12:”current_item”;a:0:{}s:5:”items”;a:1:{i:0;a:4:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:11:”description”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;s:4:”link”;s:21:”http://wordpresz.org/”;s:7:”summary”;s:132:”High risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.4 is available for download right now.”;}}s:7:”channel”;a:7:{s:5:”title”;s:43:”High risk vulnerability for WordPress users”;s:4:”link”;s:21:”http://wordpresz.org/”;s:11:”description”;s:29:”Just another WordPress weblog”;s:13:”lastbuilddate”;s:31:”Thu, 30 Oct 2008 02:29:53 +0000″;s:4:”docs”;s:34:”http://backend.userland.com/rss092″;s:8:”language”;s:2:”en”;s:7:”tagline”;s:29:”Just another WordPress weblog”;}s:9:”textinput”;a:0:{}s:5:”image”;a:0:{}s:9:”feed_type”;s:3:”RSS”;s:12:”feed_version”;s:4:”0.92″;s:5:”stack”;a:0:{}s:9:”inchannel”;b:0;s:6:”initem”;b:0;s:9:”incontent”;b:0;s:11:”intextinput”;b:0;s:7:”inimage”;b:0;s:13:”current_field”;s:0:””;s:17:”current_namespace”;b:0;s:19:”_CONTENT_CONSTRUCTS”;a:6:{i:0;s:7:”content”;i:1;s:7:”summary”;i:2;s:4:”info”;i:3;s:5:”title”;i:4;s:7:”tagline”;i:5;s:9:”copyright”;}}

I elected to remove (delete) that record (rss_412e29f6467d015b137ccc293b42bdff and rss_412e29f6467d015b137ccc293b42bdff_ts – I would imagine your field names might look a little different to mine).

My WordPress 2.6.3 install is now looking a little healthier. However there are still a number of unanswered questions. How did the 2.6.4 information make its way into the wp_options table? Was it a WordPress or a MySQL exploit or was it something else? Has my MySQL database password been comprised in some way? What about my FTP password? Was a malicious theme responsible for this compromise? I am very close to developing a theme myself, hopefully that learning curve will help me find answers to some of these questions. Who knows the answers to these questions? Hopefully over time the truth will out, I would certainly like to know.

Whatever the case, my blog hasn’t been visibly owned as yet…I suppose time will tell. In the meantime, password changes are aplenty!

On blogging

Blogging frequency: affected by [business] travel

2 Comments

As some of you may know, I’ve been doing some stats recently – there must be something in the air!

Anyway, as part of another stats gathering exercise, I found myself looking at a list of blog entries that I had made over the past 12 months to October 2008. Looking at the list, it was obvious that there were a couple of significant dips and the odd peak. The dips were typically the result of [business] travel to London. The peaks were the result of a Microsoft product launch and the use of a single post to capture “my week” – largely to document the trials and tribulations of business travel, but occasionally to capture other more interesting events!

.net, Development, General, OpenXML

Open XML – Resources

4 Comments

This post serves as a placeholder for my Open XML links, resources, etc. I will update it from time to time.

History
04/11/2008 – I’ve updated the demo code to include the code used in my screencast demonstrating Word 2007 Content Controls.

03/11/2008 – I’ve updated the demo code to include examination of the customXML file that is populated by the content control example (ContentControl.docx). Demo 5 shows how we can inject our own XML into the content controls.

Demo 6 presents the few lines of code required to extract the XML (as populated by the content controls) into an XmlDocument. Once the customXML is in an XmlDocument we are free to access the nodes as required.

Thus we are now in a position were we can create a document with custom data present, pass it to a user, the user can amend the custom data, save the document and send it back to us. We can then extract that custom data for subsequent processing. I will prepare a short screencast to demonstrate this – watch this space.

28/10/2008 – Posted pre-VBUG Newcastle inaugural delivery of An Introduction to Open XML. Download the slides and Visual Studio 2008 / Open XML SDK 2 CTP1 demo code. It’s likely that I will update this code to reflect further CTP releases.

**

Eric White’s blog entry about the first CTP of the Open XML SDK V2.

Microsoft’s primary Open XML portal, OpenXMLDeveloper.org.
Microsoft’s on-line forum for Open XML

OpenXML Code Snippets (for Visual Studio 2005) (Managing code snippets)

Blogs
Brian Jones
Mauricio Ordonez
Doug Mahugh
Kevin Boske
Erika Ehrli
Gray Knowlton’s OpenXML content

Product/Technology Blogs
XPS
Word
Excel

Videos
Open XML File Formats

Using Word 2007 Content Controls
Matthew Scott: Application Development using the Open XML File Formats
Matthew provides an excellent explanation of Word 2007’s content controls and customXML parts. Before OpenXML you probably found yourself using Word bookmarks to leave placeholders inside a Word document – content controls essentially replace those.

Andrew Coates has some excellent information about using Content Controls in conjunction with Matthew’s Word Content Control Toolkit (available on CodePlex).

Technorati Tags: , , , , , , , , , ,