Being an MVP isn’t just about talking a lot


(or in my case shouting). From the MVP blog:

SharePoint MVP Alex Pearce is head of IT at Great Barr School in Birmingham, UK. Recently, he travelled with two teachers to Sierra Leone. The UK team travelled to Africa to learn how they could transport redundant computers from their school in Birmingham to a school in Sierra Leone.

In a recent interview, MVP Alex said: "First of all the school has no power so we are going to need to raise the money to buy a generator and to build something in which to house it. Secondly, we are going to need to raise the money to fund a security guard who will live in the computer building to prevent the equipment being stolen. We also want to set up a satellite link so that the school can have direct access to our e-learning resources. Finally, we are going to need to put air conditioning in the room to combat the challenges of the African climate, then we have the small issue of how to get the computers from Great Barr to Sierra Leone."

Technorati Tags: ,

author: Barry Dorrans | posted @ Tuesday, January 06, 2009 8:11 PM | Feedback (0)

Santa seems to be bringing podcasts


Both nxtgen and Craig Murphy have been catching up on their podcasts.

nxtgen have published some of their podcasts from the PDC interviewing  Chris Anderson and Don Box and  Tim Sneath and Mike Swanson.

Craig has been busy editing his 12 podcasts of Christmas; so far he has
01 - Kyle Baley on ALT.NET and Brownfield Development in .NET
02 - Aaron Parker on Microsoft Application Virtualisation
03 - Caroline Bucklow from IT4Communities: charitable software development
04 - Eileen Brown on IT Professionals, TechNet, Women In Technology & Girl Geek Dinners

Worse he has found the podcast in the pub from IMTC this year. I think once editing finishes on that it will be 3 minutes long ...

Technorati Tags:

author: Barry Dorrans | posted @ Monday, December 15, 2008 11:08 AM | Feedback (0)

CAT.NET CTP Released


Following up AntiXSS Mark Curphey also announces the first public release of CAT.NET.

CAT.NET is a managed code static analysis tool for finding security vulnerabilities. It's exactly the same tool we use internally to scan all of our Line of Business (LOB) applications; it runs as a Visual Studio plug-in or as a stand-alone application. It was engineered by this group (CISG) and has been designed in partnership with the ACE Team and Microsoft Research. The ACE Team do thousands of code reviews for the internal line of business applications and for our external customers and have provided a wealth of real world knowledge and experience to the tool over the years. We will be posting several deep dive blogs this week on the inner workings of call graph and flow graph analysis and the algorithms behind CAT.NET from MSR. It is a technology preview; we appreciate that there are some performance and functionality limitations that we will be working on over time but we are already deep in discussion about the future design of CAT.NET and it's looking potentially very compelling!

You can download the current CTP builds from MSDN (32 bit here and 64 bit here) submit bugs and feedback to our Connect site (see post later this week for details).

If you worry at all about vulnerabilities this is another one to add to your arsenal.

Technorati Tags: ,,

author: Barry Dorrans | posted @ Monday, December 15, 2008 10:18 AM | Feedback (0)

The pain of strong names and open source projects


Those of us using FxCop or Visual Studio's code analysis are well used to seeing the plaintive plea to strong name our assemblies. Strong names provide versioning and verification as well as allowing assemblies to be placed into the global assembly cache. They are generally a good thing.

But there's a problem. Like any type of code or message signing they require a keyset and that keyset should be kept secret. What happens in open source projects or in corporate environments? Ideally the strong naming should become part of the build process; but that requires the key files to be placed under source control where any developer has access to them. Microsoft's solution to this is delayed signing; which requires the public part of the key and the private part is used to sign the assembly after it's done. However that has it's own hoops to jump though; because the assembly ends up half signed you must exclude any delay signed assembly from strong name verification. This may be acceptable in a corporate environment, but for an open source environment it's not something I'm happy to ask people to do - as it opens the possibility for a malicious assembly to run amok.

For AntiCSRF I have ended up with a very nasty kludge, two solutions. The first solution is the one you see checked into codeplex, with no hint of strong naming at all. The second solution contains a WiX project to build the installer MSI and a copy of the main solution, this time with a strong name set in the project. Of course now I have to keep the copied project in sync with the main project; not a chore in this case but for larger projects it certainly will be.

There has to be a better way that this; so I've put a suggestion on Connect for VS2010. I have no doubt there's a more elegant solution than my suggestion but if you've ran into this problem then please go vote the suggestion up, add better ideas, anything to stop people having to have duplication projects and solutions.

author: Barry Dorrans | posted @ Sunday, December 14, 2008 10:18 PM | Feedback (2)

Announcing AntiCSRF for ASP.NET


As part of the book currently under way I cover Cross Site Request Forgery, a rather fun exploit  that numerous web sites have been vulnerable to. In September of this year researchers from Princeton announced the discovery of four major web sites where were susceptible which included ING Direct, a vulnerability which would allow an attacker to transfer money between accounts.

CSRF works via persistent authentication. When you logon to a web site an authentication cookie is left on your machine (or if you're using HTTP Authentication your browser remembers and sends the username and password with each request). An attacker can then create a malicious web page that submits a form, or a query string based GET request to a site you are authenticated to. The browser sends the request to the target web site, along with the authentication details it already has stored and bang, there's your exploit.

With ASP.NET you can protect against CSRF with a ViewStateUserKey which locks ViewState to a particular value you associate with a user or session (their login ID or session ID for example) - however this requires ViewState to be enabled (and often it is disabled for performance reasons) and it is by no means a panacea. A fellow Developer Security MVP (and the technical editor for my book) Alex Smolen points the problems with solely relying upon it.

The classic solution to CSRF is to add a secondary authentication token to a form as a hidden form field and to drop an authentication cookie during the first GET request to your site then every time a form is submitted the cookie and the form token are compared and if they do not match the request is rejected - this is the approach the ASP.NET MVC folks have taken with Html.AntiForgeryToken(). One draw back to this method is the need to manually add the token and do the checks, this sort of thing should be automatic.

At BlueHat this year Alex and I batted back some approaches to this, I wanted something simple for the book.The good folks at OWASP have the .NET CSRF Guard project but this uses sessions, something I wanted to avoid.

After some batting back and forth, and some silly mistakes on my part we developed AntiCSRF, an HTTP Module which you can slot into your web application to take the worries away. The module automatically takes care of token generation and checking for every Page on your web site, assuming it inherits from System.Web.Page and contains an ASP.NET form.

What it does not do is protect you from GET requests which cause destructive actions. The HTTP specifications state that GET requests should be idempotent (i.e. they do not cause state changes within your application). If you have URLs which trigger actions like deletes then you need to start thinking about changing those types of requests to become POSTs. We also haven't protected non ASP.NET webforms as, frankly, trying to process HTML code is a bit of a nightmare.

The protection is opt-out (unlike the MVC approach and ViewStateUserKey which are opt-in and need code for implementation). This is a deliberate choice as it is, in my opinion, safer.

We are not saying this is the final word in CSRF protection, you should always treat these things as just another layer of your defence in depth; but please download, have a play, see how it goes and don't forget to log any issues or bugs on CodePlex. The code is licensed under the Microsoft Permissive License.

Download AntiCSRF 0.9 Beta

Technorati Tags: ,,

author: Barry Dorrans | posted @ Sunday, December 14, 2008 1:47 AM | Feedback (3)

A new version of AntiXSS


For the last copy of weeks I've been playing with the new version of Microsoft's AntiXSS package. AntiXSS provides more encoding methods and better implementations of the base HtmlEncode and UrlEncode that comes with the framework.

However there's something new this time around - the Security Runtime Engine. This is an HTTP module which will automatically provide encoding for your legacy apps and act as a second line of defence if you forget to encode your outputs.

It was released on codeplex last night; you can get v3 beta, installers and source from http://www.codeplex.com/AntiXSS - it's well work looking at, they've even provided performance statistics so you can figure out if the SRE is for you. It probably is ....

author: Barry Dorrans | posted @ Wednesday, December 10, 2008 11:39 AM | Feedback (0)

The Security Development Lifecycle and a new threat modelling tool


The Microsoft SDL website has been updated with three new pages

Having seen the Threat Modelling Tool at the MVP Summit last year I've been looking forward to this one; it's improved a lot. It now uses Visio under the hood for a lovely interface, automation and guidance in your modelling as well as a guided analysis for the threats and mitigations as you follow the STRIDE framework.

Microsoft are also piloting the SDL Pro Network, a set of partners who will consult and train companies in the SDL approach.

author: Barry Dorrans | posted @ Thursday, December 04, 2008 9:59 PM | Feedback (0)

DDD7: 10 tricks & tips for WCF


Well I didn't manage to get socks stuck on the projector this time around. The slide deck and demos are available for download. Every DDD session this year has been filmed; so if you missed it watch the DDD site for the video.

Technorati Tags: ,,

author: Barry Dorrans | posted @ Saturday, November 22, 2008 12:26 PM | Feedback (3)

Get Safe Online Week


This week is Get Safe Online week; a campaign founded by the Government, HSBC, SOCA and Microsoft.

The campaign site, http://www.getsafeonline.org/ is aimed at the "mum" user, people who don't know about the ins and outs of security; the people who are at risk the most.

This year they're focusing on identity fraud; apparently research and survey information will be available. As the week progresses more information will appear on the site, written in non-technical language and presented in a way that everyday Internet users can understand.

So if you don't want to try to explain phishing to your mum then why not let someone else do it and forward the campaign site to your non-technical friends and family; if it educates and reduces their risk then that is a good thing (and may reduce the instances of family technical support *grin*)

 

author: Barry Dorrans | posted @ Monday, November 17, 2008 9:56 AM | Feedback (0)

An illustration of social engineering


Last night my twitter feed started filling up with messages about Twitterank; in fact there are so many messages that it's currently in the top 10 trends for the day on tweetscans.com.

twitterank-trends

Looking at the people in my feed who used it; a few MVPs, a bunch of Microsoft staffers and a couple of other technical folks it looked interested. Except, well, I'm paranoid .

Twitterank is much like a google PageRank for your twitter accounts. Cool, just what we need, more ways to feel inadequate on the internet. The interesting part of it is that it needs your username and password - and people are handing it over. The site states it won't store it, and I have no reason to believe it does, but there is no way to know. People are happily entering their authentication information in for the promise of a magic number generator.

There's already another site, twitterawesomeness.com which illustrates the futility of trying to educate people; where the disclaimer is at least honest; "I'm in ur Twitterz, stealin ur credz!"

It nicely illustrates how simple it is to gather this information; throw up a simple web site and sit back and watch. It's both amusing and worrying that people who should know better, including a couple of the geek Scotts participated.

Now yes, twitter authentication isn't that important; however do you have a clean username and password for the site? A username and password combination you don't use elsewhere? Consider that twitter is rapidly becoming part of the social networking scene and people try to keep a consistent brand on their social graph, matching usernames across multiple sites so people can find them...

I should stress, again, that twitterank may not be doing anything bad at all - but we just don't know. It would be all too easy to act as a legitimate site, offer a service and not throw away the authentication details but lay low for months, then start to abuse the accounts you have. It might even been worth some money, depending on whose accounts you get; twitter spamming is becoming more widespread. Twitter users are relying on the kindness of a stranger right now...

There's a blog up, purporting to be from the author (how do we know - it's an anonymous wordpress.com blog? is there a limit to my paranoia?). It includes the following;

Are you a phishing site? Are you going to steal my account? etc..etc..

No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.

They acknowledge there's no way for them to prove their aren't storing it either; that's a whole other problem. Heck the source for the twitterank page underscores the problem in a rather amusing html comment;

<!-- I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, "Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?" And if that's not what you're asking yourself, shame on you. //-->

(I am signed up to a twitter service that tweets my RSS updates and stores my username and password to do so, I'm may well be a hypocrite!)

author: Barry Dorrans | posted @ Thursday, November 13, 2008 7:07 AM | Feedback (0)