Situational Awareness

Often we don’t know we are in danger until we get clobbered. We have all had that feeling in the pit of our stomachs after something heavy falls where we were standing a few minutes ago. In the middle ages ignorance of disease killed many and the same is true of most in the modern world of computer security.

You can’t defend against these things:

- Attacks when you don’t know how they are done

- Attacks to which you don’t know you are vulnerable

- Attacks you don’t realize are possible

Make an effort to stay up to date with exploits (preaching to the choir no doubt), so you don’t get nailed.

But wait there’s more!

Now there is an even more dangerous exploit for jpg files.  Details can be found here.

I have seen an example of this exploit in action.  In the demo I got from our security team, displaying the custom crafted jpg image caused the workstation to reboot.

If you didn’t take the last reminder to patch seriously, I urge you to get it now.

MS is looking to solve the Backup problem!

Backup is a fairly antique part of IT nowadays.  The trend over the last year or so seemed to be real time backup to SANs at huge cost in terms of infrastructure.  Now Microsoft has announced that they are going to put forth an offering that will not only bring this solution down to smaller orgs, but will also allow users to do their own recovery. 

This is huge!  Just like the telcos are seeing their revenue evaporate in the wake of VOIP I would hate to be selling a traditional backup suite.

Cyber-Terrorism on the horizon

I just finished reading an upcoming article from Forbes Magazine (unfortunately you will have to register to read it before the September 20th pub date) about the belief that terrorists are turning to hacking as their next major vehicle to do damage.

In the article they point out things like, “The FBI says the cyberterrorism threat to the U.S. is “rapidly expanding.” “Terrorist groups have shown a clear interest in developing basic hacking tools, and the FBI predicts that terrorist groups will either develop or hire hackers,” Keith Lourdeau, an FBI deputy assistant director, told the U.S. Senate earlier this year.”

The article also mentions a company that I have had dealings with in my consultant travels.  Invensys makes valves and regulators and such.  Exactly the kind of equipment that a bad guy would want to manipulate.

Scary, but maybe I’m not too old to get back in the service after all…

Security after the SDLC

The Software Development Life Cycle (SDLC) is a well established and well thought out concept.  There are books and experts and cool slides galore that talk about it and how security should fit into it.  The problem that I see is that the process as most people think about it isn’t cyclical enough.

Most of the treatment of the subject shows the process ends on acceptance of the product.  This means that it is in general use, the major bugs that will be fixed have been and the users are active with the application.  This status remains until the application is either revised or retired.  You can’t live that way anymore.  If you have an application that is waiting for a revision in the future or making its way to retirement, I would be willing to bet that it has already outlived any security analysis done during its construction.  How many new threats exist today that weren’t around when existing applications were being developed.  How many measures were taken as fully adequate just a year ago that we now see still leave us in the lurch against a determined attack?

If you have an application in production that hasn’t been revised for security in some time you may want to at least take a mental inventory.  The C levels in your company won’t understand that your application was secure when you released it.  They will only see that it was not secure when it was attacked.

Demos from TechEd Hong Kong Sessions

As promised I am posting all the demos from TechEd Hong Kong last week. 

DEV370: Developing Applications Under Windows XP Service Pack 2  

  DEV370 (369.75 KB) 

  Special thanks to Jon Box and Dan Fox of Quilogy for developing and presenting this session for TechEd US. This is the only one of the sessions I presented in Hong Kong that I actually got a chance to attend.

DEV413: Server Control Tips & Tricks

  DEV413 (719.44 KB)

  Session originally done by Rob Howard of Telligent Systems at TechEd US

DEV414: Black-belt ASP.NET – Tips And Tricks For Your ASP.NET Applications

  DEV414 (228.42 KB)

  Session originally done by Rob Howard of Telligent Systems at TechEd US

DEV462: Windows Forms – Tips And Tricks To Improve Your Performance

   DEV462 PerfTalk (216.04 KB)

  Session originally done by Mike Henderlight of Microsoft at TechEd US

DEV463: Windows Forms: Controls Tips And Tricks (700.28 KB)

  Session originally done by Ken Getz of MCW Technologies TechEd US

Thanks to everyone who attended the sessions.  Thanks again to the original TechEd presenters of these sessions for their help since it is always a challenge to do well presenting content developed by others that matches their particular style and strength.

I would encourage anyone who has the opportunity to see any of these people present to take the opportunity as you will learn alot and come away enlightened and entertained.

Don Kiely has something to say

I am listening to the Don Kiely interview on Dot Net Rocks and thought that it was worth pointing the security minded toward.  I have known Don for a while from conferences out and about, but hadn’t realized how much he has delved into the Least Priviledge issue until listening to Carl and Rory discuss it with him on the show.

Also highlighted was Ted Neward’s article on least priviledge located on theServerSide.Net which though short has spawned some comments that show the mood on the subject.

Even if you don’t take the advice at least know the issue.

AuthDiag 1.0 is available in its final form!

If you haven’t used it yet then you should get to know this tool.  If you have then you should be happy to know that the final 1.0 version of AuthDiag is now available at

When you are using Windows Authentication for a web site it can be mind numbing to figure out what is causing access denied problems, especially if you aren’t a security expert.  While it is an unsupported tool, it usually provides enough to get you past your access control configuration issues.

This link is to the i386, 32 bit version of the application.  If you need a 64 bit version (there are different installers for AMD and Intel 64 bit chips) drop me a line and I will hunt down the URLs for you.