Vista Squad: OWASP Top 10 Security Vulnerabilities Video


I gave my OSWAP presentation to Vista Squad last Wednesday, where Ian Smith kindly (?) videoed it. The other speaker for that evening dropped out, meaning the poor attendees had just me to listen to as I stretched it out to about 100 minutes. The length meant that the video is in two halves.

Part 1 from Vista Squad on Vimeo.

Part 2 from Vista Squad on Vimeo.

The presentation is the same one I gave at WebDD so the slides and code are the same.

The feedback on twitter was amusing;

#VistaSquad enjoyed the talk by @blowdart made me think (oh ***t) fix that
Thu, Jun 18 09:25:04 from TweetDeck

Technorati Tags: ,,

author: Barry Dorrans | posted @ Saturday, June 20, 2009 9:02 AM | Feedback (0)

Fancy a free 3 month trail of TechNet?


OK so it’s not MSDN, but TechNet gives you full versions of MS software, betas, bundled support incidents, a reference library, courses and other gubbins IT pros will love. It costs though. Well, it did. MS are now giving away a 3 month subscription for free to folks in the UK, Canada and the US. Yes, I’m as shocked that it’s a UK thing as you are. ArsTechnica has all the details.

Technorati Tags: ,,

author: Barry Dorrans | posted @ Wednesday, June 03, 2009 8:20 AM | Feedback (2)

Fun with Bing DNS


It appears bing is live. I’m not that impressed as a vanity search has my blog on the second page, twitter as the first hit, and a bunch of very old content on other sites taking up the rest of the first page.

However it appears Microsoft are using a wildcard DNS entry for the site – what does this mean? Well anything.bing.com will resolve, including chandler.bing.com and monica.bing.com … could that be any more silly? (although interestingly subdomains revert to using Live Search.

Technorati Tags: ,

author: Barry Dorrans | posted @ Monday, June 01, 2009 8:47 AM | Feedback (0)

A week’s worth of Microsoft desserts.


I’m at Microsoft doing a Proof of Concept with Geneva, building a custom STS for a Microsoft customer. I can’t talk about the POC but I can present you with yet another week’s worth of desserts…

IMAG0027

Eton Mess

IMAG0028

Brandy snap basket with summer fruits

IMAG0029

Banoffee cheesecake

IMAG0030

Fruit kebabs with coconut rice pudding

IMAG0031

Fresh fruit vacharins

  

That’s far more important than discussing CardSpace. Now excuse me while I take my afternoon snooze …

Technorati Tags:

author: Barry Dorrans | posted @ Monday, May 11, 2009 12:51 PM | Feedback (4)

The ID Element – a new C9 show on identity


Vittorio has a new starring role in a shampoo and conditioner commercial Channel9 show, The ID Element. The first episode has Stuart Kwan, the Federated Identity PM talking about Geneva in all its glory, server, framework and client.

I know, none of you aside from Dominick and Travis will care, but you should. Honestly. (because it’ll give me another presentation to do at DDDs if nothing else!)

author: Barry Dorrans | posted @ Monday, April 20, 2009 12:43 PM | Feedback (1)

LINQ and SQL Injection


In my WebDD09 talk on Saturday I mentioned SQL injection and LINQ. I’ve had a query about what exactly is the problem with LINQ as I was constrained by time and only mentioned it in passing.

Microsoft asserts that LINQ stops SQL injection attacks:

LINQ to SQL avoids such injection by using SqlParameter in queries. User input is turned into parameter values. This approach prevents malicious commands from being used from customer input.

This is generally true, however LINQ has a problem method – ExecuteQuery. This methodexecutes queries directly on the server which can lead to injection. Now ExecuteQuery does support parameters:

IEnumerable<Customer> results = db.ExecuteQuery<Customer>(
    "SELECT contactname FROM customers WHERE city = {0}",
    "London");

However if you don't know about SQL parameters already it's going to be all to tempting to build a command string up with concatenation and then bang, there’s SQL Injection. I’ve seen ExecuteQuery recommended for optimisation and performance with scant or no warnings given about parameterisation.

In summary LINQ avoids SQL Injection - if you use it properly – but the same thing can be said about the ADO.NET classes… and we know people still slip up using those.

Technorati Tags: ,

author: Barry Dorrans | posted @ Monday, April 20, 2009 9:58 AM | Feedback (0)

Don’t Get Stung – An introduction to the OWASP Top Ten


After DDD Belfast came WebDD09 where I was presenting on the OWASP Top Ten Project (well I could hardly present at DDD Belfast, I was organising, that seems just a little too egotistical *grin*). You can download the PowerPoint [905kb] and the sample code [432k].

For the person who asked you can download Fritz Onion’s ViewState Decoder. For further reading on XSS Russ McRee republishes his Anatomy of an XSS attack article from the ISSA journal and NG Software have two PDFs, Advanced SQL Injection and More Advanced SQL Injection.

With the added bonus of discovering coffee beans in my rucksack and a Windows Azure sticker on the back of my car all in all it was a fun day and if you attended I hope you got a lot out of it… and will pre-order my book *cough*

Technorati Tags: ,,

author: Barry Dorrans | posted @ Saturday, April 18, 2009 6:45 PM | Feedback (4)

Beginning ASP.NET Security is available for pre-order


Alex Mackey tweeted yesterday that his book was available for pre-order on Amazon so vanity got the best of me – so I checked and mine is available too. It grows ever more real and scary, although not as scary as the cover (which is now on its third iteration but I still can't convince them to use Oliver's alternative version) …

Beginning ASP.NET Security
Pre-order from Amazon UK
Pre-order from Amazon US

Technorati Tags: ,,

author: Barry Dorrans | posted @ Tuesday, April 14, 2009 12:09 PM | Feedback (4)

I know! Lets use a proven flawed network for a national identity card system


It’s been reported that Labour would like the proposed UK ID cards to plug into the Chip and Pin network. This is a commercial network that has security that has never been verified, and a bunch of folks at Cambridge reverse engineered and showed massive cryptographic flaws in it, such as reusing authentication tokens, overloading data semantics, and failing to ensure freshness of responses.

This is the same network that a leaked report showed had higher instances of fraud associated with it that were expected. This was a system designed, not for security, but for moving the consequences of fraud onto the retailer, a system where with a paperclip and some weak card readers caused card cloning  and was over £1m in fraudulent transactions.

So anyone with a suitable weak reader would have the ability to copy and reproduce ID cards. This is supposed to protect us? A network which cannot be checked because it belongs to a corporate entity?

There are ways to do it – the Estonia government has an identity card which uses proven, open standards to validate identity to government and banks. The Estonian identity card holds two X509 certificates, one for identity and one for signing documents and can be used for encryption when communicating with government or any other web site that cares to opt-in to the scheme, and there’s no need for specialised code, it’s just X509 after all. In addition the UK Government Gateway optionally uses X509 for company identification, so not much extra code needed there.

Of course I have my doubts about the purpose of the UK identity card anyway, it points more to monitoring and control through easily joined databases than anything to do with protecting citizens, but even so, if it’s going to be forced on us then lets do it right ok?

author: Barry Dorrans | posted @ Tuesday, April 07, 2009 8:26 AM | Feedback (0)

DDD Belfast is over. And relax…


Well that was fun :) 150 people, 15 speakers, 3 organisers, 2 Microsoft folks and swag from Wrox, TechSmith, DevExpress, RedGate, Jetbrains and a special offer from Innerworkings for free ASP.NET MVC training. And then there was the Wrox lollipops…

I have my pictures up on flickr; here is just a small sample.

DSCF1502DSCF1504DSCF1505DSCF1507DSCF1508DSCF1513DSCF1515DSCF1517Paul is a little teapotAttendees look happy with TechSmith CDsDSCF1526DSCF1531DSCF1534DSCF1536DSCF1545DSCF1549DSCF1551DSCF1552DSCF1553DSCF1554Udi demonstrates the latest dance moves.DSCF1573DSCF1576Dave Sussman wants these curtains for his boudoir.Colin is awake. For a change.Come to DDD, get Wrox lollipopsChris Canal starts his presentationAlex exhorts his audience to take the ring to MordorDSCF1597DSCF1602DSCF1604DSCF1605DSCF1607DSCF1611DSCF1625DSCF1630DSCF1632DSCF1634DSCF1636DSCF1641DSCF1648

Obviously I’d like to thank all our speakers, our sponsors, the venue folks and of course Microsoft Ireland.

And I’d like to thank our attendees, I hope you all got something out of it. You’ll be receiving details of the feedback web page early next week – please leave feedback for us and the speakers, it’s the only way we know how we did!

If you were one of the 60+ that dropped out – we’d love to know why too – leave a comment, or email me through my contact page here.

(We won’t mention the gossip – who wasn’t allowed into a pub because of his trainers, who was turned away from a nightclub for being too drunk on Saturday evening, who refused to come down for breakfast Sunday morning because he couldn’t face food … no, mentioning that would be wrong.)

author: Barry Dorrans | posted @ Sunday, April 05, 2009 9:13 PM | Feedback (3)