FM Shared on NewsGator Online

Neden Anti-XSS?

Tue, 25 Aug 2009 13:40:45 GMT

Özellikle ASP.NET gibi iki kademeli koruma sağlayan (request validation, web control encoding) uygulama çatıları için XSS önleme tekniklerini neden kullanmak zorunda olduğumuzu ispatlamak kolay olmayabilir. Dahası, bu iş için kendi yazdığımız karaliste veya filtreleme kütüphanalerini/metotlarını değil mümkünse açık kaynak kod veya herkes tarafından test edilebilen bir kütüphanenin kullanılması gerekmektedir. Kendi kendinize ...

Microsoft Anti-XSS Library - Yazı Dizisi Bölüm 6

Fri, 21 Aug 2009 23:24:29 GMT

Web Güvenliği E-Dergi projesi nedeniyle ara verdiğimiz Yazılımcılar ve Denetimciler için Web Uygulamaları Güvenliği genel başlıklı yazı dizisinin 6. bölümü, ASP.NET ile web uygulamaları geliştirenlere yönelik bir güvenlik kütüphanesi olan Microsoft Cross-Site Scripting Library v3.0`a değinmektedir. http://docs.google.com/View?id=d4w2g9c_31fxcszs65

The Only Truly Failed Project

Jeff Atwood — Thu, 20 Aug 2009 07:59:59 GMT

Do you remember Microsoft Bob? If you do, you probably remember it as an intensely marketed but laughable failure -- what some call the "number one flop" at Microsoft.

There's no question that Microsoft Bob was nothing short of an unmitigated disaster. But that's the funny thing about failures -- they often lead to later successes. Take it from someone who lived and breathed the Bob project:

I was the one who sent Bill Gates email at the height of the positive Bob-mania that said we were likely to face a horrible backlash. Tech influentials had started telling me that they were going to bury Bob. They not only didn't like it, they were somehow angry that it had even been developed. It was personal.
And that's exactly what happened. Bob got killed. But first, it was ridiculed and stomped.
For Microsoft, it was a costly mistake. For the people who worked on it, Bob taught many lessons. Lessons that came into play for subsequent products that made a big impact, both at Microsoft and beyond.
How many people know that the lead developer for Bob 2.0 was also the co-founder of Valve and the development lead for Half-Life, which became an industry phenomenon, winning more than 50 Game of the Year awards and selling more than 10 million copies?
Or that Darrin Massena - development lead for Bob 1.0, most recently named Technical Innovator of the Year here in Washington State - and Valve co-founder Mike Harrington are the co-founders and partners behind Picnik - which is now the world's leading online photo editor, attracting almost 40 million visits a month and a million unique users a day.

And then, of course, I'd be remiss if I didn't mention that Melinda French -- Bill Gates' future wife -- managed the Microsoft Bob project at one point. Bob was the first Microsoft consumer project that Bill Gates personally had a hand in launching. Well, at least he got a wife out of it.

Yes, Bob was an obvious, undisputed and epic failure. We can point and laugh at Bob. But to me, Bob is less of a comic figure than a tragic one.

Unless you're an exceptionally lucky software developer, you've probably worked on more projects that failed than projects that succeeded. Failure is de rigeur in our industry. Odds are, you're working on a project that will fail right now. Oh sure, it may not seem like a failure yet. Maybe it'll fail in some completely unanticipated way. Heck, maybe your project will buck the odds and even succeed.

But I doubt it.

I own a boxed copy of Microsoft Bob. I keep it on my shelf to remind me that these kinds of relentless, inevitable failures aren't the crushing setbacks they often appear from the outside. On the contrary; I believe it's impossible to succeed without failing.

Charles Bosk, a sociologist at the University of Pennsylvania, once conducted a set of interviews with young doctors who had either resigned or been fired from neurosurgery-training programs, in an effort to figure out what separated the unsuccessful surgeons from their successful counterparts.
He concluded that, far more than technical skills or intelligence, what was necessary for success was the sort of attitude that Quest has -- a practical-minded obsession with the possibility and the consequences of failure. "When I interviewed the surgeons who were fired, I used to leave the interview shaking," Bosk said. "I would hear these horrible stories about what they did wrong, but the thing was that they didn't know that what they did was wrong. In my interviewing, I began to develop what I thought was an indicator of whether someone was going to be a good surgeon or not. It was a couple of simple questions: Have you ever made a mistake? And, if so, what was your worst mistake? The people who said, 'Gee, I haven't really had one,' or, 'I've had a couple of bad outcomes but they were due to things outside my control' -- invariably those were the worst candidates. And the residents who said, 'I make mistakes all the time. There was this horrible thing that happened just yesterday and here's what it was.' They were the best. They had the ability to rethink everything that they'd done and imagine how they might have done it differently."

I recently watched the documentary Tilt: The Battle to Save Pinball.

It's a gripping story of a pinball industry in crisis. In order to save it, the engineers at Williams -- the only remaining manufacturer of pinball machines in the United States -- were given a herculean task: invent a new form of pinball so compelling that it makes all previous pinball machines seem obsolete. I don't want to spoil the whole documentary, so I'll gloss over exactly how that happened, but astoundingly enough -- they succeeded.

And then were promptly laid off en masse, as Williams shut down its pinball operations.

Unlike Microsoft Bob, the Williams engineers built an almost revolutionary product that was both critically acclaimed and sold well -- but none of that mattered. It's sobering to watch the end reel of Tilt, as the engineers involved mournfully discuss the termination of their bold and seemingly successful project.

Everyone was in awe. They couldn't understand why it happened. Here we'd just done this thing that from all we could tell was a total success. Why would they do that?
We succeeded. Management gave us an impossible goal, and we sat there and we actually did what they thought we couldn't do.
You know, we didn't really win... we lost. I gave it everything I had. I think that those fifty guys that worked on it, they also passionately did everything that they could.

Sometimes, even when your project succeeds, you've failed. Due to forces entirely beyond your control. It's depressing, but it's reality.

The trailout isn't all doom and gloom. It also documents the ways in which these talented pinball engineers went on to practice their craft after being laid off. Most of them still work in the video game or pinball industry. Some freelance. Others formed their own companies. A few went on to work at Stern Pinball, which figured out how to make a small number of pinball machines and still turn a profit.

These two stories, these two projects -- the abject failure of Microsoft Bob, and the aborted success of Pinball 2000 -- have something in common beyond mere failure. All the engineers involved not only survived these failures, but often went on to greater success afterwards. Possibly as a direct result of their work on these "failures".

Failure is a wonderful teacher. But there's no need to seek out failure. It will find you. Whatever project you're working on, consider it an opportunity to learn and practice your craft. It's worth doing because, well, it's worth doing. The journey of the project should be its own reward, regardless of whatever happens to lie at the end of that journey.

The only truly failed project is the one where you didn't learn anything along the way.

[advertisement] Interested in agile? See how a world-leading software vendor is practicing agile.

MS09-036: ASP.NET Denial-of-Service vulnerability

swiblog — Tue, 11 Aug 2009 15:39:00 GMT

We have released MS09-036 to address an anonymous denial of service (DoS) vulnerability in ASP.NET. We’d like to go into more detail in this blog to help you understand:

Which configurations are at risk?
What could happen if my configuration is impacted?
How can I protect myself?

Which configurations are at risk?

This vulnerability can only be triggered using ASP.NET on webservers running IIS 7 in integrated mode. So all the following configurations are not affected:

IIS6 server are safe;
IIS7 with application pools only in classic mode is safe;
IIS7 on Windows Vista SP2 or Windows Server 2008 SP2 is safe.

Windows 2000, Windows XP and Windows Server 2003 are not affected by this issue since IIS7 can only be installed in Windows Vista and Window Server 2008.

Specifically, we would like to clarify the following questions:

Question 1: Is the vulnerability in IIS7, or in ASP.net?

This is an issue in ASP.net, which is shipped as part of .NET Framework.

Question 2: How could I know whether the version of .NET Framework installed in my Windows Vista/Windows 2008 machine contains vulnerable code or not?

For Windows Vista, and Windows Server 2008, let’s take a look for the supported .NET Framework’s installation scenario. Also, note that Windows Server 2008 RTM shipped with Service Pack 1 of OS (see http://technet.microsoft.com/en-us/library/dd335038.asp for more information)

	.NET Frameowrk 2.0/3.0 RTM	.NET Framework 2.0/3.0 SP1	.NET Framework 2.0/3.0 SP2
Windows Vista RTM	Supported (in-box installation)	Supported	Supported
Windows Vista SP1 Windows Server 2008	Not Supported	Supported (in-box installation)	Supported
Windows Vista SP2 Windows Server 2008 SP2	Not Supported	Not Supported	Supported (in-box installation

For all the supported scenarios above, only .NET Framework 2.0/3.0 SP2 shipped with Windows Vista SP2/Windows Server 2008 SP2 are not affected. That’s why we said previously that IIS7 on Windows Vista SP2 or Windows Server 2008 SP2 is safe.

Question 3: I am confused. It is said that the vulnerability is in .NET Framework. How could the .NET Framework 2.0/3.0 SP2 on Windows Vista SP1 is affected while the .NET Framework 2.0/3.0 SP2 on Windows Vista SP2 is NOT affected?

Due to the incremental build environment, the in-box .NET 2.0/3.0 SP2 version shipped with Windows Vista SP2 and Windows Server SP2 is not affected by this vulnerability. To clarify, even the version number (2.0/3.0 SP2) is kept the same, the in-box .NET 2.0/3.0 SP2 version shipped with Windows Vista SP2 and Windows Server SP2 has already included the fix of this vulnerability.

Question 4: What about .NET Framework 3.5?

.NET Framework 3.5 is built incrementally upon .NET Framework 2.0 and 3.0. In this context, .NET Framework 3.5 is equivalent to .NET Framework 2.0/3.0 SP1, and .NET Framework 3.5 SP1 is equivalent to.NET Framework 2.0/3.0 SP2. So if you have .NET Framework 3.5 SP1 installed on Vista RTM, SP1 or Windows Server 2008 RTM/SP1, you also have an affected version of .NET Framework 2.0 SP2 installed.

What could happen if my configuration is impacted?

The attack is a remote anonymous DoS attack to ASP.NET. In other words ASP.NET would stop processing requests. Therefore:

This is not a DoS against the underlying OS operating system (i.e. Windows).
This is not a DoS against IIS7. IIS7 is still running, which means if you have a webpage which does not require ASP.NET, the webpage would not be affected. Only web pages requiring ASP.NET functionality would be affected.

How could I recover from the attack?

Restarting IIS’s application pool will recover your application from the attack. You could do it via command-line utility iisreset.exe or IIS UI.

UI: In the IIS Manager tool go to the “Application Pools” node. In the right-hand pane choose the application pool to recycle. Right click on the desired application pool and select “Recycle” from the pop-out menu. These steps are illustrated below.

Mitigation and Workarounds?

As indicated, IIS7 on Windows Vista SP2 or Windows Server 2008 SP2 are not affected. Therefore, you may consider upgrading your system to Windows Vista SP2 or Windows Server 2008 SP2. However there are potential compatibility issues developers should be aware of when upgrading ASP.NET applications to the version of the .NET Framework that is included in Windows Vista SP2 and Windows Server 2008 SP2. For a current list of known issues see http://forums.asp.net/t/1305800.aspx.

Other options would be changing how IIS processes the requests for managed code. The workarounds listed in the security bulletin are examples of this approach.

In IIS 7.0, application pools run in one of two modes: integrated mode and classic mode. The application pool mode affects how the Web server processes requests for managed code. If a managed application runs in an application pool with integrated mode, the Web server uses the integrated, request-processing pipelines of IIS and ASP.NET to process the request. However, if a managed application runs in an application pool with classic mode, the Web server continues to route requests for managed code through Aspnet_isapi.dll, processing requests the same as if you were running in IIS 6.0.

For reference, here are a number of links that discuss ISAPI (i.e. classic mode) and integrated mode:

Classic mode request processing: http://msdn.microsoft.com/en-us/library/ms178473.aspx
Integrated mode request processing: http://msdn.microsoft.com/en-us/library/bb470252.aspx
A list of breaking changes when trying to move a classic mode application to integrated mode: http://learn.iis.net/page.aspx/381/aspnet-20-breaking-changes-on-iis-70/
An overview article that talks about some ASP.NET functionality that can be extended to non-ASP.NET content: http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis7/

As indicated in the bulletin, a viable workaround is to either configure the MaxConcurrentRequestsPerCPU registry key or maxConcurrentRequestsPerCPU attribute in the aspnet.config to shift request from the CLR threadpool (which is what ASP.NET is interacting with) to the IIS native threadpool.

Update 8/17/2009: Bulletin number and hyperlink corrected.

- Chengyun Chu, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*

Business Advice Plagued by Survivor Bias

Jason — Mon, 17 Aug 2009 14:00:05 GMT

Do you read business blogs where the author has failed three times without success?

No, because you want to learn from success, not hear about "lessons learned" from a guy who hasn't yet learned those lessons himself.

However, the fact that you are learning only from success is a deeper problem than you imagine.

Some stories will expose the enormity of this fallacy.

Bullet holes: A brain teaser
During World War II the English sent daily bombing raids into Germany. Many planes never returned; those that did were often riddled with bullet holes from anti-air machine guns and German fighters.

Wanting to improve the odds of getting a crew home alive, English engineers studied the locations of the bullet holes. Where the planes were hit most, they reasoned, is where they should attach heavy armor plating. Sure enough, a pattern emerged: Bullets clustered on the wings, tail, and rear gunner's station. Few bullets were found in the main cockpit or fuel tanks.

The logical conclusion is that they should add armor plating to the spots that get hit most often by bullets. But that's wrong.

Planes with bullets in the cockpit or fuel tanks didn't make it home; the bullet holes in returning planes were "found" in places that were by definition relatively benign. The real data is in the planes that were shot down, not the ones that survived.

This is a literal example of "survivor bias" -- drawing conclusions only from data that is available or convenient and thus systematically biasing your results.

Doesn't most business advice suffer from this fallacy? You read about successes but what about the businesses that "never made it home?" Like the downed planes, could failure contain more lessons than success?

Burying the other evidence
Scientific journals like to publish extraordinary results, so studies that don't show anything of statistical significance aren't published but rather are abandoned or silently stowed away in academic filing cabinets.

This practice is called the "file-drawer effect," and it's a particularly insidious form of survivor bias because it's invisible. Peter Norvig sums it up nicely:

When a published paper proclaims "statistically, this could only happen by chance one in twenty times," it is quite possible that similar experiments have been performed twenty times, but have not been published.

Pharmaceutical companies have exploited this effect to intentionally skew results. It's gotten so bad that journals are calling for a public database to prevent fraud:

More than two-thirds of studies of anti-depressants given to depressed children, for instance, found the medications were no better than sugar pills, but companies published only the positive trials.

If all the studies had been registered from the start, doctors would have learned that the positive data were only a fraction of the total.
--Washington Post

Doesn't most business advice suffer from this fallacy? Harvard Business School's famous case studies include only success stories. To paraphrase Peter, what if twenty other coffee shops had the same ideas, same product, and same dedication as Starbucks, but failed? How does that affect what we can learn from Starbucks's success?

Experimental proof of ESP
Dr. Joseph Rhine brought the rigor of experimental psychology to the study of the paranormal, and ESP (Extra Sensory Perception) in particular. He made waves in the 1930s with controlled experiments testing whether a person was able to predict the order of the cards in a shuffled Zener deck (with symbols like circle, square, star, and wavy lines).

In a typical experiment, 500 people are screened for "strong telepathic ability," measured by significantly above-average performance in a 25-card deck. Those selected are tested again, and more drop away. Tested a third time, perhaps one person passes again and we conclude that such a repeat performance is statistical evidence of genuine ESP.

To see why this is just a different face of survivor bias, consider the following experiment. I believe some people are "heady" when it comes to coin-flipping -- getting heads more often than chance alone would suggest. So I put 1000 people in a room and tell them to flip a coin ten times. Sure enough, a woman named Margaret makes "heads" ten times in a row! The chance of her getting heads ten times in a row is only 1-in-1024, so I conclude Margret has special abilities.

Actually that last statement is true but misleading. The chance that Margaret would flip ten heads in a row is 1-in-1024, but that's not the experiment I ran was it? I let 1000 people flip and "found" Margaret in the crowd.

The chance that somebody in a crowd of a thousand would flip heads ten times is a whopping 62%! Because so many people are attempting the feat, some normally-unlikely events will happen. This isn't a test of Margaret's abilities at all!

Doesn't most business advice suffer from this fallacy? Take me for instance. I've done three consecutive successful startup companies, so that's proof that I know what I'm doing and that you should do everything I say, right? Except maybe I'm just the one in the crowd who guessed right on the Zener cards three times, and there's no reason to believe I would be successful a fourth time.

Specific examples of survivor bias in business advice
So far I've been asking rhetorically whether survivor bias might be severely skewing business advice. Steven Levitt (of Freakonomics fame) investigated this question directly.

He was reading Good to Great by Jim Collins, a book that analyzed eleven companies that were mediocre -- just pooping along -- but then transformed themselves into stock market sensations. A conclusion was that the common trait was a "culture of discipline." This book has sold many millions of copies, so it's a good example of popular writing on business advice.

One of the eleven "great" companies was Fannie Mae, and Steven Levitt was reading this book just as Fannie was collapsing in financial disaster. Hmm, he thought, I wonder how those other "great" companies are doing.

Turns out, had you invested in those eleven companies in 2001 (when the book came out), your portfolio would have underperformed the S&P 500! (Fannie Mae wasn't even the only case of total disaster -- also extolled was the now-bankrupt Circuit City.)

Why didn't these companies continue to succeed? It turns out Jim started by combing through 1435 companies looking for good candidates for the book, and picked eleven. It's the ESP experiment all over again!

On top of that, Jim doesn't bother asking whether any of the 1424 other companies also displayed a "culture of discipline." Maybe that's something that many public companies have regardless of performance.

Is this book an aberration? Nope, Steven investigated another business book from the 1980s -- In Search of Excellence -- and found the same effect.

Steven then comes to the same conclusion that I'm coming to:

These business books are mostly backward-looking: what have companies done that has made them successful? The future is always hard to predict, and understanding the past is valuable; on the other hand, the implicit message of these business books is that the principles that these companies use not only have made them good in the past, but position them for continued success.

To the extent that this doesn't actually turn out to be true, it calls into question the basic premise of these books, doesn't it?

Oops, did I just invalidate my blog?
Lately I've been wondering if a lot of business advice -- both mine and others -- is really a case of survivor bias. I mean, I didn't start out at Smart Bear with a load of philosophy and a fixed idea of who the customer was or even what the products would be.

How do I know this post-hoc philosophy and advice isn't just a case of survivor bias? Am I not like the ESP-savant, successful not by force of nature but by simple chance of surviving?

Or perhaps I'm like Dr. Rhine the ESP experimenter -- convinced I've discovered something important with "objective measures of success" -- and yet I'm actually living in a dream world.

More to the point, how can you, dear reader, ascertain whether my articles or any advice from anywhere suffers from this fallacy?

In the end of course you don't know. But here's something: Just the fact that you're aware of survivor bias means you're less likely to be fooled by it. So, reading this article has helped a little.

Beyond that, prefer advice that makes you think and forces you to answer tough questions of yourself, not advice that simply tells you to march in a certain direction. Use advice as a sounding board rather than gospel.

What do you think? How do you decide which advice to take? Leave a comment and join the conversation.

Google: Don’t be evil

vanderaj — Tue, 11 Aug 2009 14:36:06 GMT

I work on an open source project, ESAPI for PHP. Well, “work” might be too strong a word for it, but I try to prod its lifeless carcass from time to time. That’s not the reason I write today. I write because of stupidity, and evil being conducted in the name of a “law”.

I have a fellow open sourcer, who wants to contribute to ESAPI for PHP. He’s actually completed a MVC framework for PHP (jFramework). Due to Google blocking Iran, this gentleman can’t easily contribute to our project, which hosts its repository on code.google.com. ESAPI for PHP will not help build a nuke. It does no crypto of its own. It will make PHP applications safer and more secure – but you can do that anyway if you read half a dozen pages on PHP’s website.

This is madness. ITAR is about blocking the EXPORT of sensitive MUNITIONS (i.e. weapons) TO Iran and other “hostile” countries. ITAR is NOT about blocking the GIFT of intellectual property and valuable developer cycles FROM Iran, helping everyone all over the world, including those folks in Iran (as well as Australia and the USA). This is stupidity on a scale I’ve not seen in a while.

Google: you are doing evil.

Stop this madness, now! Call in your tame congress critters and tell them how stupid and harmful this particular nonsense is and get it repealed. Grow a spine and take a chance. Unless someone open sources a command and control system for a warship, a missile guidance program, or puts Nuclear Reactors For Dummies up as a project, all of the projects should be available for download worldwide. Those one or two mythical and nonsensical projects should not block an entire library of human knowledge to the entire Iranian people just because of some imaginary evil open source project might help Iran’s nuclear program or military. The stuff we do is not rocket science.

Stupid and outdated laws / treaties like ITAR make us disrespectful of all the other laws and treaties, and make us lose all respect for those who abuse their positions of power in the name of “security”. The way to improving relations between countries is not to block them (how’s that Cuba policy going, anyway?) but to engage with them and stop the evil ignoramuses on both sides stopping everyone being happy and free, or just contributing to an open source project.

Web Uygulamaları Güvenliği Eğitimi | Writing Something

serdar — Sun, 16 Aug 2009 19:12:35 GMT

Bu hafta sonu ferruh.mavituna'nın verdiği web uygulamaları güvenliği eğitimine katıldım. Ve yazılım geliştirme evrimimde üçüncü bir.

Visualize project dependencies with the Team System 2010 Architecture Explorer

habibh — Thu, 06 Aug 2009 07:56:00 GMT

As early as Visual Studio 2002, Visual Studio has supported the ability to see the dependencies between projects in a solution. However, the experience is somewhat clunky in that you can only see the dependencies one project at a time.

In the example below, you can see the project dependencies for the Patient Monitoring project. However, as I mentioned above, the major drawback to this approach is that you can only see the dependencies one project at a time and don't get to see a "global view" of your solution. There is also another scenario that today's solution doesn't solve. The problem is that the only way to find out why a dependency exists is to look at the code or use some other tool. In the screenshot below, the Project Dependencies dialog doesn't tell you why the Patient Monitoring project is dependent on the Chart project.

Architecture Explorer in Team System 2010 not only allows you to see the project dependencies for the entire solution but it also allows you to see the reason why each dependency exists. Each arrow in the screenshot below represents a dependency. Furthermore, the thickness of an arrow indicates the size of the dependency. Notice that there are no arrows going in or out of the ChartVisuals project. Using the Architecture Explorer, I discovered that this project is not being used anywhere!

To investigate a dependency further, you can expand the chevron (double arrows) on each node. This will not only display the classes within a project but it will also draw arrows from the classes that have dependencies on other projects. You can even dig one level deeper to see the methods in those classes that are calling into the dependencies. This is shown via the blue arrows below.

In a future blog post, I'll walk through how to use the Architecture Explorer to analyze circular references and class coupling.

Habib Heydarian.

Defcon 17 Slides, Demos and Tools

sid — Tue, 04 Aug 2009 17:42:16 GMT

Here are my slides and video demonstrations which i presented at Defcon 17. Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm View more documents from guest785f78. There are 3 demos to go with the slides: Demo 1: Exploiting PL/SQL Injection from Web Applications. Demo 2: Exploiting SQL Injection in Oracle Applications with Bsqlbf Demo 3: A proof of concept of Oracle SQL Injection Worm Tools: There are 2 [...]

Dan Kaminsky & Kevin Mitnick Hacked

Darknet — Mon, 03 Aug 2009 11:01:16 GMT

If any of you follow the mailings lists or the ’scene’ as it’s known, you’d be familiar with PHC, Phrack, Gobbles, ~el8, Silvio, gayh1tler and the whole Whitehat Holocaust AKA pr0j3kt m4yh3m. (Back when it went public). The war against whitehats has started up again more vehemently recently with zine known as zero for owned...

Read the full post at darknet.org.uk

Catch string formatting bugs with Visual Studio Team System 2010

habibh — Tue, 04 Aug 2009 00:43:36 GMT

Formatting strings is a very common task in .NET development. Examples include formatting dates and currencies, composing a HTML response, creating error messages, etc. One of the downsides of string formatting is that if done incorrectly, you can end up with subtle bugs that won't be detected until runtime at which point, the application usually crashes with an exception.

Take the following code sample which comes from a real world application. It compiles fine and most of the time, it also runs without any problems However, once in a while, there is a customer complaint that the application crashes. It turns out that the if part of the code is rarely executed and because it isn't a common scenario, it wasn't tested.

So, what is the problem? If you look closely at line 6 below where the string body is formatted, the second format item which is supposed to be the user's name is missing. As I mentioned above, there is no compiler warning or error to tell the developer about this problem. It's usually found during testing or worse case, in production.

        1: protected void btnSubmit_Click(object sender, EventArgs e)

       2: {

       3:     if (isEditingPost)

       4:     {

       5:         string body = txtBody.Value;

       6:         body += string.Format("<p>-- {0}: post edited by {1}.</p>",

       7:            DateTime.Now.ToString());

       8:         // edit an existing post

       9:         Post.UpdatePost(postID, txtTitle.Text, body);

      10:         panInput.Visible = false;

      11:         panFeedback.Visible = true;

      12:     }

      13:     else

      14:     {

      15:         // Rest of code not shown

In Team System 2010, we have added a new rule to Code Analysis that detects this exact problem. When I run Code Analysis over the code above, it clearly warns me that I'm missing a format item:

warning: CA2241 : Microsoft.Usage : Method 'AddEditPost.btnSubmit_Click(object, EventArgs)' calls 'string.Format(string, object)' and does not provide an argument for format item "{1}". The provided format string is: '"<p>-- {0}: post edited by {1}.</p>"'

This feature is available in Visual Studio Team System 2010 Beta 1. Feel free to download the beta and if you have any feedback on this feature, please leave me a comment.

Habib Heydarian.

Openfund Türk Girişimcilerin Başvurularını Bekliyor

Arda Kutsal — Mon, 03 Aug 2009 09:22:31 GMT

İnternet girişimcilerinin fikirlerini hayata geçirmelerine destek vermek amacıyla Yunanistan merkezli bir oluşum kısa süre önce hayata geçirildi. Openfund adı verilen oluşum fikir sahiplerine erken aşama yatırım sağlamanın dışında kurmuş olduğu network sayesinde de danışmanlık desteği sağlıyor.

Openfund’ın kurucuları bir süre önce benimle de iletişime geçmişler ve danışman olarak kendilerine ve bünyelerindeki girişimcilere destek olup olamayacağımı sormuşlardı. Türk internet girişimlerine de destek olmak istediklerini söylemeleri üzerine Türkiye pazarında ortak bir sinerji yaratabileceğimizi düşünüp tekliflerini kabul etmiştim.

Şu anda TechCrunch’dan Mike Butcher’ın yanı sıra Google, IBM, Accenture, PwC, Microsoft gibi firmalardan da danışmanların bulunduğu kurulda ben de yer alıyorum.

Girişimciler için merak edilen asıl konuya gelecek olursam, Openfund 20 bin ile 30 bin Euro arasında 4 aylık bir yatırım bütçesi sunmanın dışında, girişimler için ofis, şirket kuruluşu gibi farklı destekler de sağlıyor.

30 Eylül 2009′a kadar ilk tur yatırım süreci için başvuru toplayacak olan oluşum 1 Ekim - 15 Kasım arasında değerlendirmeleri tamamlayıp, 1 Aralık 2009 itibariyle girişimlere yatırımları gerçekleştirmiş olacak.

Konuyla ilgili detaylı bilgiyi Openfund web sitesinden alabileceğiniz gibi, yorumlarda da sorularınızı sorarak kendilerine ulaşmasını sağlayabilirsiniz.

İlgilenen girişimciler ve fikir sahipleri başvurularını buradan yapabilirler ve sunumlar, iş planları gibi farklı dökümanları sitedeki kaynaklar bölümünden alabilirler.

Bu yazı Arda Kutsal tarafından yazılmış olup Webrazzi.com'da yayınlanmıştır.

Sponsorlarımız: Nokta A.Ş. l KurumsalHaberler.com l ReklamStore l Medyasoft l Goinger.com l SadeceHosting l Sendloop.com l MyHosting

Webrazzi'ye sponsor olmak ister misiniz?

Announcing OffVis 1.0 Beta

swiblog — Fri, 31 Jul 2009 21:34:00 GMT

We’ve gotten questions from security researchers and malware protection vendors about the binary file format used by Microsoft Word, PowerPoint, and Excel. The format specification is open and we have spoken at several conferences (1, 2, 3) about detecting malicious docs but we wanted to do more to help defenders. So earlier this year we started working on an Office Visualization Tool called “OffVis”. We first shared the tool with our MAPP partners in May and have now released it as a no-charge download from the Microsoft Download Center for everyone to benefit from this work. We have also recorded a 30-minute training video that describes the file format. We will announce the video here on the blog when it is ready to be released.

OffVis displays an OLESS-based binary files in two ways. It shows a hex view of the raw file contents on the left side of the window and the tree of objects built up from parsing those raw file contents on the right side of the window. You can see an example below.

(click to expand)

Double-clicking on a specific byte in the hex view will navigate the tree view to the object that byte belongs to. Double-clicking an object in the tree view navigates the hex view to the bytes that make up the object (and any of its child objects).

OffVis also detects eight Office file format vulnerabilities that we have seen exploited over the past couple years. We chose these specific CVE’s to detect based on prevalence of attacks in the wild. As was discussed in our last Security Intelligence Report, most attacks use vulnerabilities for which a security update has been available for months. We hope this “known-bad” detection will help you analyze suspicious documents that arrive into your network. And if you find malicious samples exploiting product vulnerabiltiies that are not detected , please send them to us so we can consider adding detection to OffVis for more vulnerabilities. We want to keep the correct balance between giving defenders more information to help them detect attacks and keeping vulnerabilities away from attackers. Here’s the initial list of CVE detection included:

CVE	Product	Bulletin
CVE-2006-0009	PowerPoint	MS06-012 (March 2006)
CVE-2006-0022	PowerPoint	MS06-028 (June 2006)
CVE-2006-2492	Word	MS06-027 (June 2006)
CVE-2006-3434	Word	MS06-062 (October 2006)
CVE-2007-0671	Excel	MS07-015 (February 2007)
CVE-2008-0081	Excel	MS08-014 (March 2008)
CVE-2009-0238	Excel	MS09-009 (April 2009)
CVE-2009-0556	PowerPoint	MS09-017 (May 2009)

In the screenshot below, you can see an OffVis CVE-2009-0556 detection. The PST_OutlineTextRefAtom atom at file offset 766378 has a Type value of 3998 (0xf9e), triggering the detection.

You can find out more about OffVis by downloading it from the Microsoft Download Center and viewing the readme file. Please email us at switech at Microsoft.com if you have questions, comments, or malicious samples that are not detected.

Thanks to Kevin Brown, Dan Beenfeldt, and the rest of the MSRC Engineering team who worked on this project!

- Jonathan Ness, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*

IE8 Filter Bypass

david — Fri, 31 Jul 2009 10:05:16 GMT

So Eduardo and I finally gave our presentation at BlackHat titled Our Favorite XSS Filters and How to Attack Them. For the curious and inquisitive - the most updated version of the slides can be found here. In it, we discuss many known, and less-well known techniques for bypassing filters. Then, we discuss specifics about how to bypass a few of our favorite filters. We call them our favorites because, in most cases, we work closely and are friends with the people maintaining them and also because they (mostly) provide excellent technical challenges in order to attack them.

One of the coolest bypasses was found a few weeks ago by Eduardo for the Internet Explorer 8 filters. These filters are not designed to catch all XSS, however they are designed to catch certain types of reflected XSS, and for the cases they cover, they do a really good job at blocking attacks (while avoiding false positives). One of the scenarios that the filters cover is when an XSS injection occurs inside quoted JavaScript. In this case, the attacker must generally break out of the JavaScript string (which provides an excellent “anchor” to build filters upon) and then do something malicious. For the most part, the filters prevent calling functions and assigning variables. In other words, the filters presume you need chars like (, ), and = in order to do bad things (the filters actually go beyond this, but that’s the general idea). So Eduardo set about to find a way to execute functions without using (, ), and =.

So one way in JavaScript you can execute arbitrary code without parenthesis is to use location=name. name is a variable representing a string obtained from the parent iframe’s name attribute (presuming there is a parent iframe with a name attribute, otherwise it is just the null string).

Another javascript trick that can be used is the fact that you can assign values to object variables using object literal notation. E.g. {foo:’bar’}. This statement assigns the string ‘bar’ to the variable foo inside this unnamed object. Note that no equal sign is used.

So the question you may be asking yourself is this: can these two ‘tricks’ be combined in a way that avoids both parenthesis and the equal sign? The answer is a definite yes!

Here’s how it works.

”+{toString:alert}

In Internet Explorer 8, this will fire an empty alert box. But to truly bypass the filters, we need to have arbitrary code execution. To do this, we take the same idea, and make it a little bit more complicated.

‘ %2b {valueOf:location,toString:[].join,0:name,length:1} %2b ‘

In this case, we are abusing the fact that some internally used functions like valueOf and toString can be overwritten. What more, the word length can be overwritten along with the numeral 0 (yes, zero, a number…) And for whatever reasons, that aren’t really clear to us, this ends up assigning name to location.

Eduardo has raised this issue with the IE8 team and they are presently investigating it along with how to best update the filters to detect such issues.

unix-privesc-check

timbrown — Thu, 30 Jul 2009 23:54:47 GMT

Tool to check for simple privilege escalation vectors on Unix systems

�Bookmark�this�on�Delicious - Saved by timbrown to unix security aix hpux freebsd bsd openbsd solaris debian linux centos darwin fc3 irix opensolaris redhat macosx - More about this bookmark

Dawn of War II Weekend Sale: 50% off

sasquatch — Thu, 30 Jul 2009 18:18:41 GMT

Dawn of War II is 50% off this weekend on Steam and Direct 2 Drive. That’s right, anyone can purchase DOW II this weekend for only $24.99 USD. If you already own the game, spread the news to others! Dawn of War II is even better when playing with friends or enemies – the more, [...]

Overview of Visual Studio Team System 2010 for Developers (Part 1)

Wed, 29 Jul 2009 19:00:03 GMT

In this two part article we will take an overview of various features and tools of Team System 2010 for Developers

Wildcard certificate spoofs web authentication

(author unknown) — Thu, 30 Jul 2009 03:13:02 GMT

SSL felled by null string

Black Hat In a blow to one of the net's most widely used authentication technologies, a researcher has devised a simple way to spoof SSL certificates used to secure websites, virtual private networks, and email servers.…

Oracle & Metasploit Presentation from Blackhat USA are already online

Alexander Kornbrust — Wed, 29 Jul 2009 21:23:17 GMT

The Oracle & Metasploit material (PDF, Slides) from the Blackhat 2009 conference from Chris Gates is already online. A short review will be done tomorrow.

https Can Wait - SaaS Needs Better Authentication First

noreply@blogger.com (Boaz Gelbord) — Tue, 21 Jul 2009 04:40:00 GMT

Twitter just got burned in the cloud. Some "hacker" managed to figure out a password to one of Twitter's Google Docs accounts. This guy went on to send a whole slew of confidential Twitter documents over to TechCrunch.

This kind of stuff happens all the time, but our collective Twitter obsession has catapulted this story to the top of the news. Twitter's role in the recent Iranian protests has given the fledgling service a new gravitas. An attack on Twitter, it would seem, is an attack on all of us. And to make things worse this was a direct attack on cloud services. This perfect storm even has the New York Times talking about cloud security.

First let's look at what actually happened. An administrative assistant at Twitter used the same password for her corporate Google Docs account as for a whole bunch of personal services. Enter some guy going by the name Hacker Kroll. He managed to reset her password by answering her "secret questions" and reviving a defunct hotmail account the assistant had given for password reset. A bit of Googling and voila - all the company's goodies from secret business plans to personal emails are in the public domain.

Reading over the chain of events, it seems like this could happen to pretty much any company using SaaS (which according to various studies means most companies). And it raises an uncomfortable question - can Google Docs be trusted for anything truly sensitive given the flimsy password authentication it relies on? For the average user, Citibank password=Amazon password=Salesforce password=Twitter password=Hotmail password=...you get the point.

The Inevitability of Password Recycling

So who is to blame for this gaping security vulnerability?

Let's start with who is not to blame. Users can't be blamed for doing what comes naturally. And in fact, sticking to a very small number of passwords makes sense from an availability perspective. The security risks arising from using the same passwords everywhere pale in comparison to the total catastrophe that ensues from actually getting locked out of accounts. The average user would rather risk a 0.01% chance of their online accounts being compromised than a 5% chance of being locked out of their accounts (OK, I'm making those numbers up but you get the point).

There is another reason not to blame users - they haven't been given any workable alternatives to password recycling. Users are justifiably nervous about browser-based password managers - it opens up a Pandora's box of cross-site scripting and other vulnerabilities, no matter how complex your passwords are. And systems like KeePass that allow users to store their passwords in encrypted form may be very convenient for a paranoid minority, but just don't meet the real world needs of the average user.

Some companies try to force unique passwords through complexity requirements or password expiration policies. These settings aren't always available (Google Docs doesn't allow password expiry) but in Salesforce for example these settings can be set administratively. But this still doesn't solve the problem of password recycling. If a given user has hundreds of pictures of their golden retriever on Facebook and all of his passwords are goldenretriever1, goldenretriever2, etc, there's no configuration setting in the world that's going to pick up on this.

So the solution isn't going to come from user education or unenforceable corporate policies. SaaS providers need to offer more secure cloud authentication alternatives, even if this means charging a premium. SaaS vendors will of course only react to a market need. Unfortunately there has been very little pressure on vendors and the focus to date has been disproportionately on old fashioned network security issues. This has come at the expense of improving the very weak authentication structure in place in most SaaS offerings today.

https and Barking Up the Wrong Security Tree...

Take for example the recent letter to Google from a group of security industry thought leaders calling on the company to enforce https rather than http. While that is a worthy goal, it builds on the security industry's https fetish while ignoring the much more significant cloud authentication crisis.

Defaulting to https protects against packet sniffing; an important security objective, but one that is less critical in the cloud than on corporate networks. Compared to guessing passwords, running a packet sniffer requires a high level of technical expertise and a high level of direct network access. The rewards are also limited - sniffing a Google Doc that is being transmitted in plaintext gives access to that one document. Compromising a password yields the mother lode. That's why the majority of attacks we hear about involve guessing user credentials, not performing network monitoring (the TJMaxx case notwithstanding). Nine times out of ten when the media talks about an account being "hacked into", they are not talking about a compromised router or server. They are talking about plain old password guessing a la Twitter or Sarah Palin Yahoo account.

Security risks in SaaS differ sharply from the traditional firewalled corporate network. At the risk of vast generalizations, https is more important than robust authentication in a walled environment, but in the cloud that priority order is flipped. Password authentication is often sufficient protection for in house corporate resources because there is usually at least one more hurdle to climb to actually get at the data. That hurdle might be knowing how to get onto a company VPN or even just knowing the URLs of the company's web facing resources. These aren't state secrets, but probably enough to deter the casual hacker. Remember, the only technical skills involved in many headline-grabbing "hacking" incidents are a bit of Googling and combing Facebook for clues to password reset questions.

Poor password management is of course still a problem within corporate networks, especially for shared passwords. I recently discussed this issue in an interview that was published in Computerworld today. The lack of administrative password management is another example of skewed security resource allocation; organizations that spends enormous sums on firewalls, IDSs and other network security devices and services often fail to properly secure system access accounts such as root passwords on Linux servers, administrative passwords in Windows, or sa passwords on databases. Indeed the lack of proper management of administrative passwords was apparently yet another security issue at Twitter.

But the shift to cloud services like Google Docs gives potential hackers an even lower hanging fruit than guessing at default or poorly chosen administrative passwords. Cloud computing increasingly means that the only thing standing between a hacker and confidential data is a single password. After all, there's no point in trying to gain access to a core router with a potentially stupid password when you could just guess away at docs.google.com and try your luck there. And as an added bonus to the password-guessing approach, the lucky guesser gets all the data served on a silver platter, all formatted and ready to go. No messy databases to sift through and no need to have any knowledge of SQL, IOS, or other unpleasant technicalities.

Adding Just a Bit of Security to the Cloud

Eliminating the all-you-need-to-do-is-guess-a-password vulnerability in cloud computing isn't rocket science. It is in fact much easier to address than the politically dicey issues involved with shared administrative passwords. And there is no reason SaaS providers can't charge for the service. SaaS providers such as Survey Monkey already offer https versions of their products at a cost. Incidents like the recent Twitter snafu will push mainstream SaaS providers to offer premium authentication services as well.

There are a couple of easy-to-implement solutions that would have prevented the Twitter hack and also the vast majority of other SaaS password-guessing attacks that have been going on lately. One method is to require an extra "corporate password" to get into an account, so that employees need to enter both an individual password and a second password maintained and periodically changed by the company. Not a perfect solution, but one that would deter the flood of amateur attacks that SaaS seems to attract.

There are other more robust methods to beef up security - users can be required, for example, to submit corporate email accounts as their back up accounts. Another option is to force users to dial into a corporate center to reset their password. They can be then be subjected to much more detailed questions to authenticate them.

Letting companies insert themselves into the authentication process will do a lot more than https to secure cloud services. There just aren't that many folks out there running Wireshark in hopes of stealing a spreadsheet off of Google Docs. As the recent Twitter breach indicates, there are many more people out there trying to guess your employees' maiden names and get to passwords that way. That's not to say that https isn't important. But it's much more important to beef up authentication first.