July 2004 - Posts
If you’re doing anything with secure web services using the .NET Framework, then you’ll want to get the latest version of WSE 2.0 available at http://www.microsoft.com/downloads/details.aspx?familyid=fc5f06c5-821f-41d3-a4fe-6c7b56423841&displaylang=en . This first Service Pack for the WSE 2.0 at a little over 7MB is miraculously 210k smaller than the original!
To quote the update notes on it: “This updated version of the Web Services Enhancements 2.0 contains fixes to scalability and functionality based on customer feedback, as well as important security additions.”
The best list of the changes (and other things about WSE 2.0) are from Hervey Wilson at http://www.dynamic-cast.com/mt-archives/000060.html
This has turned out to be one of those weeks I didn’t plan for and suddenly it’s the Friday before a week’s vacation and I haven’t managed to achieve even half the things I’d hoped, so sadly, Security Myth #3 “Cryptography is too hard” will have to wait another week before I can really give it the time to do it justice.
“Expect the unexpected” they tell you or “plan for the unknown”. Hmmm, I’m neither psychic or good at guessing games. If only I knew that Monday morning would see the demise of my hard disk. It had indicated a few warning signs – the mouse becoming jerky as the CPU got tied up waiting for disk IO to complete. So, ‘run chkdsk’ I thought ‘that will fix these kind of problems’. Alas, on the reboot so the checker could lock the system partition the disk made a tremendous ‘THUNK’ noise and that was it – dead disk.
I replaced the laptop disk with the one from my external USB storage device and started the rebuild, getting back as much backed up data as possible. Fortunately for me, one of my colleagues, Alastair Dick, used to be an engineer at Dell and knows a thing or two about disks. With his help, standing the old disk at an obscure angle and keeping it extra cool I was eventually able to recover much of my lost data – all proving to be a tedious activity.
Ha ha! I can hear the echos on the internet – ‘why didn’t he just restore from his backup?’. Well I have an 80Gig drive – 20Gigs for system and apps, the rest for data – lots of Virtual PC images for all the demos and things I do – how do you easily back up 60Gigs of data from your laptop?
One of those virtual images was critical to the demos I will be giving at an event in Reading on 11th August. The session I’m responsible for at the event ‘What’s new in Visual Studio .NET 2005’ is on Visual Studio Team System. An impossible task to do justice to the enormity of the product in only 75 minutes!
So sadly my week was not quite what I’d planned and please accept my apologies that Myth #3 will be postponed until I’m back from my vacation in sunnier climes…
For a while now, I’ve had a DOS based BIOS update for an internal DVD-RW drive. The machine in which the drive is installed doesn’t have a DOS boot partition or Floppy drive, making booting into DOS a little tricky. OK, so I could build a bootable CD with MS-DOS or Windows 98 on it, and there are great instructions and tools to do this here.
But, the BIOS upgrade utility will not work when booted from the device it is trying to upgrade … drat! In the absence of any other usable media I decided that I wanted to use a USB memory stick to boot to MS-DOS and then perform the upgrade. After much searching I discovered a very useful utility from HP that will allow you to format a bootable USB memory stick (not just HP’s own devices) without any pain or hassle at all. You can download the utility yourself from HP’s download site here, and my thanks must go to Oliver Aaltonen for his great instructions here if you get stuck.
Despite my delight I could still not boot on my test machine, an HP tc 1100. It turns out that I had overlooked Oliver’s warning about the capabilities of the BIOS. This all important factor is will make all the difference. Your BIOS must explicitly allow booting from a USB floppy or ZIP drive it would appear, and that just booting from a generic USB device is not enough.
Have fun!
[Please note that none of the tools pointed to in this post are supported by me or Microsoft, and that the appropriate licensing is required for any operating systems or other software you use]
When Windows for Workgroups 3.11 shipped I don’t think anyone believed that over the coming 10 years the number of computers in use would increase more than 10 fold and that almost all of them would, at one time or another, connect to the internet. Back in 1992, everyone on the internet was nice, because if you stood next to someone in the office, then between you would have enough fingers and toes to count everyone that could use their computer to connect to another computer outside of their own company!
The only network that could be used to successfully spread a virus back then was ‘sneaker-net’ and actually physically sharing media, the scourge of the 5 ¼ inch floppy. A few companies tackled this problem by purchasing floppy-disk locks to stop their staff from bringing in games from home which might be accompanied by an unwelcome selection of bits and bytes.
As the internet grew and the .com bubble began to swell, the need for every company to be seen and accessible, at least in online brochure form caused huge pressures to be placed on IT departments. Online strategies became an essential part of company reports and business proposals. The continued business pressure and the demands of home computer users armed with hours of free internet access and free modems, to see more and more images of their favourite products, lead to the realisation that business could actually be done on the internet.
“If you build it, they will come” became the mantra of the mid-nineties. High Street retailers now wanting to sell their products online and capitalise on this new market built e-commerce web sites with a philosophy of ‘we can stand a bit of fraud in our shops, so we can cope with a bit of fraud online too, after all, most people that come to our shops are nice and just come to buy’.
And sure enough, the site was built and the consumers came and purchased and occasionally a stolen credit card was used, but most of the transactions were ‘nice’.
But then one day, Mr Businessman woke up to a news headline “Credit card details published on Web after hack attack” which made him wonder… Perhaps not everyone on the internet is nice. It’s not possible to smile at someone as you hand them their change and wonder if you trust them or not. It’s not possible to video a bank robber coming into an online bank. Attacks from Cyberspace are different….
So, a question for you: How do you install a virus on someone’s computer?
Answer: You send it as an attachment to an email with the subject of ‘ILOVEYOU’
Now, I bet you smiled to yourself when you read that. Steve Riley tells it better than me, but I hope you get the point: a nice person sent you a nice email and before they realised it, thousands of people were infected because they wanted to fulfil that basic human need – to feel loved.
How could something so innocent become so malicious? You recognised the name of the sender as a trustworthy friend. Now that they’ve emailed you a virus, is that trust irrevocably broken? Or will you forgive them because they just did something a bit silly and they had no idea it was a silly thing until it was too late? Double clicking an email attachment was/is an everyday occurrence after all and they had a previously untarnished record of virus free emailing. But it is not the sender you don’t want to trust, but the ethereal virus author. Trust is a strange thing when you begin to look at it and there is an entire spectrum of trust that is, today, quite poorly defined, but more of that in another posting. Here’s a little tale for you:
“Got any old watches or clocks to sell?” asked the man standing in front of me on my doorstep. “Err, no”, I replied a little taken aback by the question. I cast a curious eye up and down the reasonably well presented gentleman in his early fifties and noticed a printed leaflet in his hands identical to the one I had pulled from my letterbox that very morning and discarded without really reading it. The leaflet read ‘Buy-gone Antiques, Instant Cash Paid for Watches and Clocks, Victorian Paintings and Old War Medals (any condition)’.
I turned, “Who was that” my girlfriend inquired as I closed the door and saw the man walk briskly towards my neighbour’s. I put on a gruff London accent, “No old watches or clocks to sell? …. then you must have some new ones you’re keeping hidden…” and we both laughed before returning to our laptops. After a few moments my girlfriend looked up and asked “Do you think he was a burglar?”.
“No, just an enterprising small business man”, but she had made me think. Why didn’t I think that he was trying to rip me off? Was he looking to see if people were out before breaking in, under the disguise of an antiques dealer? Did he hope that I was an old lady to prey upon and give me a pittance for my departed husbands valuable war memorabilia?... Well, I trusted him enough not to break into the house, because he’d left a leaflet with his phone number and address on it. But he could have printed them himself and made up the number and address. You have to wonder just how far someone might go, and given the evidence to hand and the effort required and the risk of exposing himself, I could reasonably trust that he was not surveying the area for robbery potential. I would not, however, trust that man with much else.
We are naturally all quite trusting individuals – its in our nature to believe in people, but on the internet, it is harder to identify people and verify who they are and what their intentions are, so some good approaches are available to minimise the amount of exposure and it is well worth thinking about this as you build any computer system.
Secure by Design, Secure by Default and Secure in Deployment. Of course, these principles translate to quite a few practical activities, so I’ve listed three of my favourites below:
1) Build a Threat model – no excuses, JFDI – Just Do It!
2) Run your code with least privilege. This doesn’t only mean the account that is executing the code only has the permissions necessary to carry out its task, but also in the age of .NET, application code itself can be restricted in the permissions it is granted. Currently this is a bit tricky to determine what permissions are actually required by a .NET application, but the permcalc application in Whidbey (sorry, Visual Studio .NET 2005) makes this a whole lot easier! Things get even better in Longhorn.
3) Never trust any input.
Resist the natural urge to trust the people that are using your application, be they within your organisation or on the internet, make security a part of your whole software development lifecycle and, in the words of Andy Grove “only the paranoid survive”.
I think Myth #3 will get a bit more technical as it will be title “Cryptography is just too hard”
Mike
Well I must have blinked because I missed it first time around. I, along with many others, found ISA Server 2000 a bit tricky to configure and the product team have done a great job in making ISA Server 2004 much, much easier. But not only that, there is a plethora of new features that made me wonder what on earth was in the previous version! Click here to see the list of what’s new.
Product Info: http://www.microsoft.com/isaserver/
Eval download: http://www.microsoft.com/isaserver/evaluation/trial/
If you’re running on Windows Server 2003, then you can download a tool to turn ISA Server 2004 into a Remote Quarantine Server (RQS). To do this you need the Windows Server 2003 Resource Kit and the updated RSQ.exe file.
One little gotcha that had me was that when upgrading from ISA Server 2000 to 2004, the migration wizard will only work if you have installed ISA Server 2000 SP1 or later first! Oops, I didn’t realize they were available L here, and I had hoped that MBSA 1.2 would have informed me of this short-coming… Oh well, I’ll never make a SysAdmin.
I seem to have missed a lot about ISA… I wonder is I’m alone in this?
Just a really quick entry because this had been bugging me on the back burner for a while now. How do you set up IIS 6.0 to do the certificate to user mapping for Authentication again Active Directory in Windows Server 2003. All of these sorts of infrastructure things are always a bit odd for me, coming from a developer background.
All the information is out there on how to do this, but it’s usually shrouded in a ton of other information making it difficult to find the 3 steps you actually need to make things just work. So, what are those steps:
1) Enable Active Directory name mapping for certificates, and don’t forget that the certificates you need to use must be suitable for client authentication.
2) In IIS 6.0, enable the Windows directory Service mapper
3) On the web virtual directory you want to use mapping, enable certificates as an acceptable form of authentication on the properties tab. If mapped certificates is going to be the only way you will access the site, then you can actually turn off all other forms of authentication. In the secure communication directory setting, you need to accept certificates and simply click the ‘Enable client certificate mapping’ but don’t bother changing anything under the ‘Edit…’ button or changing any options there.
This is pretty much all in this document, but there are too many steps for this little thing when I wanted just to do some testing!
I’ve not mentioned some of the periphery things that you need to make this happen like SSL, Auto enrolment for certificates (if you want it), certificate trust lists etc etc but the above are the crucial nugggets to make sure it works.
It’s cool and it worked for me in the end ;-)
Well, I bet I’m not the first to blog about the .NET Service Pack Technology Preview’s availability since they wer released two weeks ago. These service packs have about 140 changes, including a roll-up of the framework hotfixes, some improvements to the WSDL importing and, and the reason I’m blogging this, are 2 security related areas: Data Execution Prevention (DEP) and Buffer Overrun protection. So there are lots of fixes and changes, some in preparation for Windows XP SP2.
My one word of caution before installing is to note that you can’t uninstall these babies! So my advice would be to use a Virtual PC or other test machine (if you want to test the Data Execution Prevention then you’ll need the appropriate hardware) and enjoy!
You can get your copy of the Technology Preview bits here http://msdn.microsoft.com/netframework/downloads/updates/sptechpreview/default.aspx along with all the detail about the changes and revisions that have been made.
Please feedback at http://communities.microsoft.com/newsgroups/default.asp?icp=techpreview&slcid=us to help us get it right for you!
Threat modelling should be a part of the design of any system, software or otherwise – hey, it’s just part of the design.
A post on Friday on the Channel 9 site by Frank Swiderski talks about the Threat Modelling tool he has written and mentions his book that has recently been published, co-authored with Window Snyder. See his video here. I can’t comment on the book as my copy is still in the post, but it’s a must for anyone interested in the subject of building secure systems! The tool is pretty cool and helps with the modelling process, using threat trees, integrating with diagrams from Visio and will also output a few report.
For all the appropriate links to stuff about Threat Modelling, go here:
http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx
Mike
PS in the UK we do indeed spell modelling with 2 ‘l’s!
Myth #1: http://weblogs.asp.net/mikeshaw/articles/181173.aspx
Oh dear, well I really am new to this blogging thing, so sorry for posting that last item twice! So, I’ve been sitting on writing my article about this first myth for ages. I’ve made lots of different attempts at trying to convey the message that it’s not really possible to pre-empt what a hacker will do because they always have the advantage – what Michael Howard calls “The Attacker's Advantage and the Defender's Dilemma” and Tim Sneath blogged about here. Well here goes, I’m sure you’ll let me know if I came even close to fulfilling my goal and I can try to build your feedback into next week’s myth “The internet is full of nice people”, which perhaps would have made a better first myth, but I was trying to parody Jim McCarthy’s 21 rules, but after thinking about things, that really isn’t going to work.... Anyway, I've posted Myth #1 here.
I hope you like it!
Mike
PS Please let me know if posting it as an Article/Story is best, or should I just post it as a regular Post?
Security is a subject that turns many developers off. They often think that security is stuff that detracts from their productivity by making things too difficult, or they imagine that security is something that happens when the systems administrators get their hands on the application and it’s not their problem. So I’ve been thinking about the question of how can I get more people to take more than a passing interest in security, particularly from a developers / architects perspective. There’s plenty of material out there already, and Michael Howard’s book on "Writing Secure Code" is very good indeed, for example, if perhaps a little weighty for someone looking for that one hint or tip to put the final security touches to their application before they ship ;-) .
Anyway, last week I had a conversation in the speaker lounge at TechEd Europe with my good friend and colleague, Dave Gristwood, about his session on the “21 rules of software development”. Dave’s session, based on an original by Jim McCarthy (read Dave’s blog for more detail), takes a good humoured look at the software development process and offers 21 rule to help build software. So great was this inspirational chat with Dave that over the coming months I have decided to develop something on my blog I shall call: “21 Myths of Software Security” – original eh ;-)? I’m not quite sure how it will pan out, and I’m more than happy to take any input or suggestions, so let’s give it a go.
My intention is to post an entry on this topic probably no more regularly than once a week. Of course I'll do other posts in between on things I come across or I find interesting, typically on the topic of security for developers. With that in mind, by the end of this week, the first myth to examine will be...
“You know as much as a hacker knows”
More Posts