Category Archives: Security

Chris Seary on Securing LINQ to SQL

Security expert, Chris Seary has written a thought-provoking piece about the changing role of the Database Administrator (DBA) now that database querying is becoming a feature in many .NET programming languages, via the use of Language INtegrated Query (LINQ). With developers writing code that effectively reaches into the database, it does present developers and DBAs with a cause for concern, especially where performance might be an issue. Chris discusses this problem and lays down the foundation for what it likely to be considered a future best practice.

On another note, Chris is now an independent consultant. If you need a security expert, give Chris a call. Check out his MSDN articles and slide decks. Chris recently spoke at DDD5 to a full-house, deliverying a good overview of his ‘Ten Top Tips for Securing Web Applications’.

Technorati Tags: , , , ,

NxtGenUG’s FEST07

I managed to gatecrash NxtGenUG‘s FEST07 developer-oriented conference today. It was a single day event held at Microsoft’s Thames Valley Park campus. Despite my best efforts, I arrived just in time for the first full session of the day (I managed to miss the such things as the Registration, Welcome and Notices, Community and Keynote, bit of a shame really, but when you’re relying on trains and free buses getting you from Edinburgh to Crewe to Reading to TVP, some loss has to be expected).

Anyway, it was a super event, well-organised, good speakers, good food and a good mix of information-hungry attendees. For me, it was nice to be at TVP and to be able to sit back, relax and enjoy the conference – usually I’m on the other side of the organising fence and find myself checking agendas, chasing speakers, etc.

First up on the agenda was Rafal Lukawiecki – he’s some guy: top TechEd speaker, need I say more? He kicked off with a session about Vista Security, covering the following major topics: Foundational Protection, Networking, User Account Control (UAC), Authentication & Authorization, BitLocker and Data Protection. As you might expect, UAC was the audience’s primary pain-point: Rafal did a quick poll to see just which flavour of the UAC prompt the audience were enduring – you see, there are actually two prompts that you might receive depending upon who you are logged in as. Most of the audience log in as administrators, so they received the Consent Prompting (default for administrators) prompt. Only a handful of attendees logged in as standard users thus receiving the Credentials Prompting (default for standard users) dialog. Interesting, Rafal was pro-UAC, citing that we should strive to make our applications better citizens such that the UAC prompts only ever appear if they really need to. Further reading can be found here.

Microsoft DPEs Daniel “The Greek One” Moth and Mike Taulty took the stage for the next session, originally planned to be about Orcas, but now a dive into the world of C# and LINQ. Now, usually these two guys are part of MSDN events, roadshows, etc. rarely do we see them “out in community” without them staying roughly within the corporate lines laid down by Microsoft. Today, any corporate ties they had were gone, they were, if you could use the comparison, what happens to DPEs when they go bad! As a double act, they rocked: the comedy was flowing.

After lunch (pizzas and coke) Rafal was back for a session about Software Development Paradigms. This session was well-delivered and provided considerable food for thought. Interestingly, Rafal closed the session with the statement that the programming paradigm is likely to return to the lambda-calculus domain and that we should be learning Prolog and LISP once again!

Oliver Sturm moved in to talk about Dynamic Languages. Attendee feedback from this session was rather good, with many stating that “this Ruby thing, it never goes away, it just keeps bouncing back”.

Finally, Lorna Brown gave a 45-minute session about what’s going on at Microsoft Research. I’m always impressed with what I see coming out of MSR – today, we saw gesture controlled devices tied into a text messaging service. Whilst Microsoft won’t appreciate the comparison, what MSR have effectively done is put the Wii-style controller into a mobile device, such that you can use gestures instead of words…very useful if you want to ask if somebody wants to go for beer, make a pouring gesture and a sound of a beer being poured can be heard at the recipient’s end.

FEST07 – meet the sponsors:

Download the FEST07 slides’n’code from here. And, until the midnight on the 4th of June, provide your feedback here – attendees only please!

Technorati Tags: , , , , , , , , , , , , , , , , , ,

Scottish Developers – Web Security Conference Day for Windows Developers – 12/04/2007

Scottish Developers are pleased to announce a full-day security-oriented event to be held in Edinburgh on the 12th of April 2007

You’ve taken the courses, you’ve scoured the Internet, you’ve attended many presentations, but alas, you still have many unanswered questions about website security.

Scottish Developers have secured the support of two consultants from Charteris plc, a respected IT and Managemant Consultancy and Microsoft Gold Partner. Barry Dorrans and Chris Seary are security specialists who regularly speak on subjects relating to the securing of web applications.

Come along on the 12th April for a full day of presentations and demonstrations surrounding the real world implications of the most common .NET web techologies: learn about the best practices, issues, gotchas, etc.

Bring along your questions and problems to gain assistance in finding solutions.

AGENDA
08:45 Registration
09:00 Hacking websites for fun and profit
10:30 Break
11:00 Securing applications and communications in ASP.NET
12:30 Lunch
13:30 Code Access Security – in-depth explanation and design pattern for web applications
15:00 Break
15:15 Securing Web Services with WS-*
16:45 Break
17:00 Managing Identity using Windows Cardspace
18:30 Close

– These are rough timings. Some session may end earlier or run later. We aim to shape the day around people’s need, not a time schedule!

Hacking websites for fun and profit
Presented by Barry Dorrans

How safe are your web sites?
Do you know what cross site scripting is?
SQL injection attacks?
Search engine leaks?

Learn how to check your sites for nasties by seeing how it’s done against badly written code and what you can do to secure your sites.

Securing applications and communications in ASP.NET
Presented by Barry Dorrans

This session aims to provide you with recipes to secure your asp.net application architecture, be they internet, extranet or intranet exposed. Covering authentication and authorisation strategies, identity management, securing communications, secrets, viewstate and more the session will discuss common best practices for secure architecture of ASP.NET applications.

Code Access Security – in-depth explanation and design pattern for web applications
Presented by Chris Seary

Chris has implemented CAS in several secure enterprise scale web applications. This talk will explain how CAS works, and also give details of a design pattern for implementing CAS in web applications.

We start by showing a web site being hacked, and then alter the application to stop the hacker while preserving the full functionality of the web site. We also look at OneClick and how it uses Partial Trust.

Securing Web Services with WS-*
Presented by Chris Seary

Why use WS-Security – surely IPSEc and SSL will secure our site?
Actually, WS-* specifications provide functionality that network protocols do not.

We look at what WS-Security can add to web service security, and go through a good deal of sample code (which will be available to download).

This presentation covers both WSE and WCF. We also look into WS-Federation, and how it is to authenticate users from different domains.

Managing Identity using Windows Cardspace
Presented by Barry Dorrans

Windows CardSpace is a framework developed by Microsoft which securely stores digital identities of a person, and provides a unified interface for choosing the identity for a particular transaction, such as logging in to a website.

This talk will cover the identity metasystem, how CardSpace works and how you can use within it ASP.NET.

BIOGRAPHIES
Barry Dorrans has spent 15 years cutting code, starting with mainframes, through DOS, Visual C and MFC before finally ending up on the .NET platform. His experience has ranged from banking systems to Europe’s largest streaming network. He now mentors developers through .NET migrations and Expert Witness services with Charteris plc (http://www.charteris.com).

Chris Seary has been awarded the Most Valued Professional (MVP) award by Microsoft for his contributions to the field of application security. He has been securing large scale applications for several years, including the Australian Taxation Office’s mid-range systems, which make up the world’s largest .Net application. He regularly speaks on security, and has had articles published in journals and on MSDN.

DATE
Thursday 12th April 2007, 9:00am – 6:30pm.

Registration begins at 8:45am.

VENUE
Microsoft Edinburgh,
127 George Street,
Edinburgh
EH2 4JN

LUNCH
Approximately one hour will be set for lunch and a place can be pre-booked at a local restaurant.

Please let us know if you have any special dietary requirements.

Lunch is NOT included in the price for this event.

REGISTRATION
Please send an email to john@scottishdevelopers.com indicating you’d like to register. We’ll then complete the registration and book you a place.

Technorati Tags: , , , , , , , , , , , , , , ,

Digital Forensics with EnCase

I attended a BCS event in Dundee last night. The speaker was Guidance Software‘s Russell May, he was discussing and demonstrating EnCase. Russell’s presentation style was very good, a few slides and plenty of demonstrations.

EnCase is a rather powerful tool that provides access to the file systems of Windows, Linux, AIX, OS X, Solaris – or to be more precise: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo® 1, TiVo 2, VMware, Microsoft Virtual PC, DD and SafeBack v2 image formats. All this from a single unified interface. It’s a product that is intended to work with “ïmages” rather than live hard drives, which makes perfect sense from an evidence preservation perspective.

Speaking of evidence preservation, Russell showed us a handful of photographs from real live “busts”. He stressed the importance of photographing “the scene”, particularly if you are seizing computer equipment that will be used as evidence. The photographs allow you to recreate the scene very quickly, wiring and all. Also worth photographing is the inside of the computer. Folks tend to hide all sorts of interesting stuff inside their PC’s base unit…Russell has found secondary unconnected hard drives, money and drugs!

Russell brought along a handful of Word documents that contained some text and images. There were documents that looked fairly normal to the untrained eye, i.e. some regular text and some benign images. However, looking at the file size, it is perhaps obvious that we were not being shown the big picture [sic]. Indeed, one of the documents had one large image sitting on top of 4 slightly smaller images. Another document appeared to contain nothing more than a short paragraph of text – in reality, an embedded Picture Object had its width and height set to 0…all we could see were the overlapping grab handles (which looked remarkably like a full-stop!)

Further examples saw Russell restore deleted partitions, identify numerous files with the incorrect extension (e.g. .VXD instead of .JPG), discover DOS batch files (.BAT) that convert between file extensions. We were even able to see how EnCase dealt with Alternate Data Streams (ADS). One thing that we didn’t see was how EnCase handled encrypted drives (using, for example, Private Disk, BitLocker, etc.)

I was pleased to see Russell push home the fact that the Format command doesn’t actually wipe out anything. The Format command actually performs a number of reads (typically three) and a verify. Any sectors that fail this read-verify test are marked as bad sectors and are thus ignored. In a nutshell, using FDisk and/or Format isn’t enough to stop a tool like EnCase or even a disk sector editor (such as this one by Acronis).

My key “take away” was the fact that EnCase and all other software-based forensic tools struggle with files that have been securely deleted using such tools as Eraser, SDelete or CCleaner. These tools offer a variety of secure delete options, including 1-pass, 3-pass US DoD 5220.22-M (8-306/E), 7-pass US DoD 5220.22-M (8-306/E, C and E) and 35-pass (Gutmann). The importance of this fact cannot be under-estimated – if you plan to dispose of your PC, it’s important to clear it out such that the next owner cannot recover your personal data, The BBC reports tales of woe from folks who didn’t clear out their hard drives here, here and here.

Personally, I use Eraser and CCleaner – both have a clean Windows user interface, Eraser even integrates with the Shell so that it appears when you right-click on a file or folder. If you are using CCleaner, the secure deletion options are secreted away here:

ccleaner.gif

…and if you’re using Eraser, the Edit -> Preferences -> Erasing (Control-E) menu option leads to this screen:

eraser.gif

Related Links
EnCase (and here)
Secure File Deletion – Eraser, SDelete, CCleaner
Alternate Data Streams
Gutmann’s algorithm – Secure Deletion of Data from Magnetic and Solid-State Memory (here also)
Encrypted Disks – Private Disk, BitLocker

If you found this information useful, please consider donating via PayPal!




Technorati Tags: , , , , , , , , , , , , , ,

Confidence Tricks

This seems to have been a weekend for computer support. Today, Sunday, I found myself looking at an eMachines PC that refused to connect to the Internet using the https protocol. The machine’s owner had already mentioned that he had ditched Norton Antivirus (and gone through a lot of pain trying to uninstall it) and had chosen WinAntiVirus as a replacement. Why? Well, a moderately reputable web-site “popped” something up that told him his computer needed “fixing”, a fake “you are infected” type of message. WinFixer and WinAntiVirus would “fix it” for a small fee. To all extents and purposes, it sounds fairly legit, you pay your money, you get a download link for a couple of products, you believe that you’re protected. Except, these two products do little more than invite their friends (ad-ware, spyware, malware, etc.) in to play about on your computer. From there, it goes from bad to worse. And it’s not new as this post confirms.

Luckily, I was able to uninstall WinFixer and WinAntiVirus, disable a whole raft of browser hijacks and clear down 115 items of ad-ware, spyware and malware. Whilst I was there, I killed off all the remaining Norton services and lingering processes. After a reboot and a re-scan, I was pleased to see the Windows XP shield appear at the bottom right – a clear sign that prior to my arrival something was “blocking” it thus preventing Automatic Updates from taking place. WinFixer and WinAntiVirus may not have themselves been blocking Automatic Updates and other security-related activities (such as blocking scanning software), but they were certainly responsible for something getting on the computer that did.

FWIW, the tools that I used to help me are: Crap Cleaner, Spybot and HijackThis.

On the premise that this is one of those “how do you know” scenarios, a piece of advice that I can offer is this:

If a pop-up window (or an advert within a web page) tells you that your PC is infected and offers a “clean up” solution, either ignore it or at least put it into your favourite search engine. Google, for example, provides this advisory:

google.gif

Related links:
http://en.wikipedia.org/wiki/WinFixer
http://www.spywareguide.com/spydet_2731_winantivirus.html
http://stopbadware.org

Technorati Tags: , , , , , , , , ,

IE7 Connecting…

One of my wife’s friends popped in yesterday. Seems her laptop just “went and installed IE7”. After the installation was complete, when trying to visit a web-site, IE7 would just sit there attempting to connect, displaying “Connecting…” in the solitary tab. It also consumed huge amounts of CPU time giving the impression that the machine was slow.

I know John has been lamenting about this sort of issue over here and here. And Dan was kind enough to offer his good advice elsewhere in this blog. So add-ons seemed to be the logical place to start. However, even setting the Tools -> Internet Options -> Home Page to about:blank, it’s difficult to get to the Add-ons menu in order to actually do anything with them. Of course, being the sly individual that I am, I used HijackThis to rummage around myself.

I was pleased to read this Microsoft posting that highlights a menu option that most users may not have discovered:

ie7addons.gif

[scroll down and look for Toolbars that are incompatible with Internet Explorer 7]

This menu option will at least prove that your IE7 installation is working as it should. Sadly IE7’s Tools->Manage Add-ons menu item is greyed out, so you can’t simply go in and turn all the Add-ons off from here. However, you can choose Tools->Internet Options and then click on the Programs tab thus revealing the Manage Add-ons button, as the screenshots here confirm.

Armed with the knowledge that IE7 was working fine, I could now set about looking for the offending Add-on. Without beating about the bush, it turns out that it was the Norton Internet Security Add-on that was causing all the problems: disabling it forced NIS to go in search of a fix for itself, which, to my amazement, it found. It would appear that I am not alone, others are having similar problems as this post suggests.

Anyway, my wife’s friend now has a working laptop, with IE7 and NIS running happily, so all is well. YMMV

Technorati Tags: , , , , ,

Lottery scams…

It’s good to see Colin writing about a lottery scam that reached his inbox. They are more common than folks think, it seems that the scammers think we’re more gullible at this time of year. Xmas is the worse time of year to play the UK lottery – more folks than normal buy a ticket so even with the huge odds against you, if you did win something, it’s likely that you’ll have to share it with more people 🙁 However, in for a penny, in for a pound: if you don’t take part, you can’t win. I’d settle for a tidy £50,000, thanks very much – tip jar is at the bottom of this post!

I’m waiting for Microsoft to formally announce the fact that they are in the lottery business, as the e-mail below seems to suggest 🙂

[Update: 14/01/2007: More information can be found here.]

Some of the “scam clues” have been marked in bold.

FROM THE DESK OF THE MICROSOFT
COORDINATOR {MICROSOFT GLOBAL E-MAIL LOTTERY}
INTERNATIONAL PRIZE AWARD DEPARTMENT
AMSTERDAM THE NETHERLANDS.
FILE REF:HL/5564/06/07/MICS
BATCH: MC11/834/5PDH /EU

OFFICIAL WINNING NOTIFICATION:

DEAR WINNER:

It is obvious that this notification will come to you as a suprise but please find time to read it carefully as we congratulate you over your success in the following official publication of results of the E-mail electronic online Sweepstakes organized by Microsoft,in conjunction with the foundation for the promotion of software products,(F.P.S.), held on the 9th of Dec.2006,in Amsterdam The Netherlands.

Wherein your electrononic email address emerged as one of the online
winning emails in the 1st category and therefore attracted a cash award of 1,000,000.00Euros(One Million Euros only).

Our winners are arranged into four categories with different winning prizes accordingly in each category.They are arranged in this format below:

CATEGORY NO.OF WINNERS WINNING PRIZES
1st. 2 1,000,000:00euros each
2nd. 8 800,000:00euros each
3rd. 13 470,000:00euros each
4th. 27 170,000:00euros each

We write to officially notify you of this award and to advise you to contact the processing office immediately upon receipt of this message for more information concerning the verification, processing and eventual payment of the above prize to you.

It is important to note that your award information was released with the following particulars attached to it.
(1) Award numbers: NL 56/7765
(2) Email ticket numbers: NL553/26/96
(3) Batch numbers: MC11/834/5PDH /EU
(4) The file reference numbers: HL/5564/40/07/MICS
{5} Serial Numbers:McST/006/NL4657

For verification purpose be sure to include:
(1) Your mailing address.
(2) Your Tel/Fax numbers.
(3) Your Nationality/Country.
{4}Your Full Names

To file for your claim,Please contact your Validating Officer for VALIDATION of your winning within Twenty-nine working days of this winning notification.Winnings that are not validated within Twenty-nine working days of winning notification are termed void and invalid. You are required to mention the above particulars
of your award in every correspondence to enable the Agent validate your winning.

CONTACT:
*******************************************************************
FOREIGN TRANSFER MANAGER
NAME MR.PATRICK DONKOR.
MICROSOFT SECURITY DEPARTMENT(NL).
TEL:+31-204-000-498.
TEL:+31-649-304-875.
FAX:+31-847-560-854.
E-mail: claimbglot@aim.com
********************************************************************

The Microsoft Internet E-mail lottery Awards is sponsored by our
CEO/Chairman, Bill Gates:http://www.templetons.com/brad/billmap.gif and a consortium of software promotion companies.The Intel Group, Toshiba, Dell Computers and other International Companies.The Microsoft internet E-mail draw is held periodically and is organized to encourage the use of the Internet and promote computer literacy worldwide.

Once again on behalf of all our staff,

CONGRATULATIONS!

Yours faithfully,

Rosemary Van Ken (Mrs)
MICROSOFT E-MAIL LOTTERY PROMOTION COORDINATOR.

Related Posts
Spam: Recognition
It’s a scam, it’s a hoax, but how do you know?




Technorati Tags: , , ,

It’s a scam, it’s a hoax, but how do you know?

My other half (“who should know better” I hear you cry) forwarded on the message below.

FREE £60 SAINSBURY’S VOUCHER!
Hi Guys
This does work, just had a reply back from my cousin who sent it, saying he has just received his voucher, Nice eh? Send this email on to 10 people and copy in J.sainsburys@customerservices.com, Then Sainsbury’s will forward you a £60 voucher via email Fab – Just in time for Christmas

Of course, it is a hoax. It’s obvious, surely everybody can see that? Well, the truth is, it’s not that obvious and this particular hoax is still catching folks out! So what makes this so obviously a hoax?

Well, there are a few tell-tale signs.

The e-mail alias is playing on your impression of the big name that is behind the supermarket in question, you’d like to think that J.sainsburys is a reliable alias. Wrong on two counts. Firstly, the small ‘s’ is a clue, it should be uppercase. Secondly, it’s “J Sainsbury”, there’s no need for the trailing ‘s’. Don’t believe me? Check it here.

Then there’s the capital ‘T’ just after the ‘,’ – that’s just wrong. And no ‘.’ before ‘Fab’. And the capital ‘J’ in ‘Just’. And the capital ‘N’ in ‘Nice’. Always check grammar, spelling, etc. if you have even the slightest suspicion that something isn’t what it seems. Oh, and no ‘.’ closing the sentence.

The domain name, customerservices.com, has nothing to do with the supermarket. If this domain is still alive, it only serves to collect e-mail addresses from unsuspecting individuals who’ll be spammed later.

How easy is it to check for these hoaxes? Well, your favourite search engine is usually a good place to start. Check out J.sainsburys hoax to see what I mean.

So remember, if it sounds too good to be true, it probably is!

Technorati Tags: , , , ,

New office, new location, am I using your wireless network?

We moved into a new office today. Our IT crew are here and are dealing with the infrastructure move over the course of Friday afternoon and the weekend. However, being the geek that I think I am (and some folks tell me that I am, so it has to be true), I turned up today with my laptop and “went looking”. I do a lot of travelling an as such use various wireless networks, most of them are secure by default, some are “open” but require authentication via a login and password, rarely do I connect to “any old wireless connection”, particularly the “open” networks with no security at all.

Today, it’s all change. This blog posting come courtesy of somebody else’s Internet connection. I don’t know who they are, or where they are (they’re close enough for me to get an ‘Excellent’ signal strength so I reckon I can see them were they to identify themselves).

It has been said thousands of times before: please, secure your wireless network. Even the most basic authentication is enough to put many “chancers” off. If you don’t you could find yourself liable to prosecution as “professional chancers” may use your Internet connection for illegal activities.

wireless networks

Technorati Tags: , , , ,