idunno.org

Vista Squad: OWASP Top 10 Security Vulnerabilities Video

Barry Dorrans — Sat, 20 Jun 2009 08:02:14 GMT

I gave my OSWAP presentation to Vista Squad last Wednesday, where Ian Smith kindly (?) videoed it. The other speaker for that evening dropped out, meaning the poor attendees had just me to listen to as I stretched it out to about 100 minutes. The length meant that the video is in two halves.

Part 1 from Vista Squad on Vimeo.

Part 2 from Vista Squad on Vimeo.

The presentation is the same one I gave at WebDD so the slides and code are the same.

The feedback on twitter was amusing;

#VistaSquad enjoyed the talk by @blowdart made me think (oh ***t) fix that
Thu, Jun 18 09:25:04 from TweetDeck

Technorati Tags: Vista Squad,OWASP,Security

Fancy a free 3 month trail of TechNet?

Barry Dorrans — Wed, 03 Jun 2009 07:20:25 GMT

OK so it’s not MSDN, but TechNet gives you full versions of MS software, betas, bundled support incidents, a reference library, courses and other gubbins IT pros will love. It costs though. Well, it did. MS are now giving away a 3 month subscription for free to folks in the UK, Canada and the US. Yes, I’m as shocked that it’s a UK thing as you are. ArsTechnica has all the details.

Technorati Tags: TechNet,Microsoft,Freebie

Fun with Bing DNS

Barry Dorrans — Mon, 01 Jun 2009 07:47:26 GMT

It appears bing is live. I’m not that impressed as a vanity search has my blog on the second page, twitter as the first hit, and a bunch of very old content on other sites taking up the rest of the first page.

However it appears Microsoft are using a wildcard DNS entry for the site – what does this mean? Well anything.bing.com will resolve, including chandler.bing.com and monica.bing.com … could that be any more silly? (although interestingly subdomains revert to using Live Search.

Technorati Tags: bing,dns

A week’s worth of Microsoft desserts.

Barry Dorrans — Mon, 11 May 2009 11:51:24 GMT

I’m at Microsoft doing a Proof of Concept with Geneva, building a custom STS for a Microsoft customer. I can’t talk about the POC but I can present you with yet another week’s worth of desserts…

Eton Mess

Brandy snap basket with summer fruits

Banoffee cheesecake

Fruit kebabs with coconut rice pudding

Fresh fruit vacharins

That’s far more important than discussing CardSpace. Now excuse me while I take my afternoon snooze …

Technorati Tags: Microsoft

The ID Element – a new C9 show on identity

Barry Dorrans — Mon, 20 Apr 2009 11:43:52 GMT

Vittorio has a new starring role in ~~a shampoo and conditioner commercial~~ Channel9 show, The ID Element. The first episode has Stuart Kwan, the Federated Identity PM talking about Geneva in all its glory, server, framework and client.

I know, none of you aside from Dominick and Travis will care, but you should. Honestly. (because it’ll give me another presentation to do at DDDs if nothing else!)

Technorati Tags: Geneva,Federated Identity,Big Hair

LINQ and SQL Injection

Barry Dorrans — Mon, 20 Apr 2009 08:58:20 GMT

In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing.

Microsoft asserts that LINQ stops SQL injection attacks:

LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input.

This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which can lead to injection. Now ExecuteQuery does support parameters:

IEnumerable<Customer> results = db.ExecuteQuery<Customer>(
    "SELECT contactname FROM customers WHERE city = {0}",
    "London");

However if you don't know about SQL parameters already it's going to be all to tempting to build a command string up with concatenation and then bang, there’s SQL Injection. I’ve seen ExecuteQuery recommended for optimisation and performance with scant or no warnings given about parameterisation.

In summary LINQ avoids SQL Injection - if you use it properly – but the same thing can be said about the ADO.NET classes… and we know people still slip up using those.

Technorati Tags: LINQ,SQL Injection

Don’t Get Stung – An introduction to the OWASP Top Ten

Barry Dorrans — Sat, 18 Apr 2009 17:45:50 GMT

After DDD Belfast came WebDD09 where I was presenting on the OWASP Top Ten Project (well I could hardly present at DDD Belfast, I was organising, that seems just a little too egotistical *grin*). You can download the PowerPoint [905kb] and the sample code [432k].

For the person who asked you can download Fritz Onion’s ViewState Decoder. For further reading on XSS Russ McRee republishes his Anatomy of an XSS attack article from the ISSA journal and NG Software have two PDFs, Advanced SQL Injection and More Advanced SQL Injection.

With the added bonus of discovering coffee beans in my rucksack and a Windows Azure sticker on the back of my car all in all it was a fun day and if you attended I hope you got a lot out of it… and will pre-order my book *cough*

Technorati Tags: WebDD09,WebDD,OWASP

Beginning ASP.NET Security is available for pre-order

Barry Dorrans — Tue, 14 Apr 2009 11:09:32 GMT

Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) …

Pre-order from Amazon UK
Pre-order from Amazon US

Technorati Tags: ASP.NET,Wrox,Vanity

I know! Lets use a proven flawed network for a national identity card system

Barry Dorrans — Tue, 07 Apr 2009 07:26:44 GMT

It’s been reported that Labour would like the proposed UK ID cards to plug into the Chip and Pin network. This is a commercial network that has security that has never been verified, and a bunch of folks at Cambridge reverse engineered and showed massive cryptographic flaws in it, such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses.

This is the same network that a leaked report showed had higher instances of fraud associated with it that were expected. This was a system designed, not for security, but for moving the consequences of fraud onto the retailer, a system where with a paperclip and some weak card readers caused card cloning and was over £1m in fraudulent transactions.

So anyone with a suitable weak reader would have the ability to copy and reproduce ID cards. This is supposed to protect us? A network which cannot be checked because it belongs to a corporate entity?

There are ways to do it – the Estonia government has an identity card which uses proven, open standards to validate identity to government and banks. The Estonian identity card holds two X509 certificates, one for identity and one for signing documents and can be used for encryption when communicating with government or any other web site that cares to opt-in to the scheme, and there’s no need for specialised code, it’s just X509 after all. In addition the UK Government Gateway optionally uses X509 for company identification, so not much extra code needed there.

Of course I have my doubts about the purpose of the UK identity card anyway, it points more to monitoring and control through easily joined databases than anything to do with protecting citizens, but even so, if it’s going to be forced on us then lets do it right ok?

Technorati Tags: Identity Cards,Chip and Pin,Fraud,UK egovernment

DDD Belfast is over. And relax…

Barry Dorrans — Sun, 05 Apr 2009 20:13:01 GMT

Well that was fun :) 150 people, 15 speakers, 3 organisers, 2 Microsoft folks and swag from Wrox, TechSmith, DevExpress, RedGate, Jetbrains and a special offer from Innerworkings for free ASP.NET MVC training. And then there was the Wrox lollipops…

I have my pictures up on flickr; here is just a small sample.

Obviously I’d like to thank all our speakers, our sponsors, the venue folks and of course Microsoft Ireland.

And I’d like to thank our attendees, I hope you all got something out of it. You’ll be receiving details of the feedback web page early next week – please leave feedback for us and the speakers, it’s the only way we know how we did!

If you were one of the 60+ that dropped out – we’d love to know why too – leave a comment, or email me through my contact page here.

(We won’t mention the gossip – who wasn’t allowed into a pub because of his trainers, who was turned away from a nightclub for being too drunk on Saturday evening, who refused to come down for breakfast Sunday morning because he couldn’t face food … no, mentioning that would be wrong.)

Technorati Tags: DDD,DDD Belfast,DDDBelfast,dddBFST