in

ASP.NET Weblogs

Phil Scott's WebLog

Quite exciting this computer magic

December 2003 - Posts

  • Ebay and your credit card info

    One of my students just got a spam message telling him to update his eBay account information.  Looks pretty professional, and IE tells him the url it takes him to cgi5.ebay.com/aw-cgi/eBayISAPI.dll?accupdatev

    Of course we know where this is leading to.  It isn't taking him to eBay, it is taking him to some rogue site (which has already been shutdown it seems) and is taking advantage of that new IE address bar vulnerability.  Looks very legit, the link says it is taking you to eBay and IE says you are at eBay.  The only thing that is missing is that little lock thingy nobody even knows you can click on.

    eBay is a good choice for a target because of people being concerned over their bids getting wiped out.  An even better target I think would be telling people that their Amazon.com order cannot be processed without verification of a credit card number.  I wonder how many people in a rush to make sure christmas presents arrive by the 24th would have fallen for that one.

    The only reason I have to use IE is for posting this thing right here.  There is no way I'd use it to make any type of transaction on the web. 

    Posted Dec 22 2003, 02:51 PM by Phil Scott with no comments

  • Make your own IE Patch

    Via slashdot, some enterprising individuals released a “patch” for IE's url spoofing vulnerability.  The problem is that it has some pretty nasty buffer overflow vulnerabilities itself.  While you have to respect the “if MS isn't going to do it, I'll do it myself!” attitude, you know some conversation happened like this:

    User 1: St0pid M$!  Can't fix their own bugs, we'll do it ourselfs!
    User 2: Right on!  M$ can't write secure code anyways, lol!!!!!!!!11oneone111!!.  We'll do it for them.
    User 1: Ok, we'll take two strings of length 256 and store them into another URL of 256 characters.  What could go wrong? 
    User 2: M$ sux0rs!  We r0x0r the b0x0rs.  M$ and Bill$$$$$ will pay us big bucks for our fix

    Here's the offending code btw: (snipped up a bit):

    char surl[256];
strcpy(surl,"http://www.openwares.org/cgi-bin/expl oit.cgi?");
char sFake[256];
char sTrue[256];

// Phil: I got rid of a big if statement
strcat(surl,sFake);
    strcat(surl,"&");
strcat(surl,sTrue);

    Wow. 

    Posted Dec 19 2003, 03:48 PM by Phil Scott with 6 comment(s)

  • Real

    Frank has a great set of links regarding the Real suit against Microsoft.  Real Media needs to stop installing spyware and BUFFERING BUFFERING BUFFERING BUFFERING write some software that doesn't suck.  Pretty much the only format I like to see videos encoded in is QuickTime or DivX.  I still haven't really bothered to figure out what the difference between ASF and WMV files are.  All I know is that I can download them...sometimes.  Has anyone in the history of the internet had an enjoyable experience using streaming video ala Real or Microsoft's streaming video?  The only time it is appropriate is for live events.  Otherwise, give me an opportunity to download it while I'm cooking dinner, and let me watch it without buffering.

    Posted Dec 19 2003, 08:39 AM by Phil Scott with 5 comment(s)

  • The Ol' Apache vs IIS Netcraft Story

    Reading the comments to this article on Slashdot made me vomit in my mouth.  Hey, Apache is great.  It's free!  My sister is paying $3 a month for a decent host for service.  How are they able to charge so little?  Because they pay nothing for the software, and the have some pretty talented people working there for real cheap.  But reading through the comments about people switching to Apache because IIS is hard to configure, applications crash on it more (wtf?) and that IIS is chock full of holes and are constantly being hacked is just plain retarded. 

    The reason that Apache is so far ahead is because my little sister wants a website, and wants to spend $3 bucks on it.  You have every Tom, Dick and Dimtry out there with a weblog, pictures of their dog, crappy gaming and/or hardware site and that starts to add up.  Not to mention people who are simply squatting domains and pointing them towards some Apache server out there. 

    As many people know, a scan of the fortune 1000 sites by Port80 Software puts Microsoft 54.1% of the market share, with Netscape's server in second place.  Take what you will of that information, but the fact remains that companies are choosing IIS or Netscape server for many reasons, not just technical.  It is simply easier to work with and there is a much great sense of security for companies.  I'm not trying to knock Apache, I think it is swell.  But I don't think that because a bunch of porn sites and weblogs are running Apache is any reason to pat yourself on the back and fire off a good round of Microsoft bashing. 

    Now one thing is interesting about this is that you commonly hear that the reason you see more attacks against MS is because their software has a bigger market share.  Apache clearly has a bigger marketshare, but you don't hear about any Nimda type attacks against Apache.  Hmmmmm.

    Sorry about this, but sometimes when I read the comments on slashdot I need to get it out of my system.  Otherwise what I read would rattle around in my brain until blood actually shot out of my eyes.

    Posted Dec 17 2003, 09:34 AM by Phil Scott with 13 comment(s)

  • KYdotNET Tomorrow

    My plan is to make it up to the KYdotNET meeting tomorrow.  If you are going to be there, drop me a line in my comments.  If I do go, I'll probably be the 24 year old wearing a navy blue sweatshirt with a hood and blue jeans.  It's the only clean clothes I have left for tomorrow.  As many geeks will probably be wearing that same outfit, just look for the handsome, suave and modest guy wearing the navy blue sweatshirt with some blue jeans.  I'll keep you guys updated on what I'm wearing so that people can spot me in case I either 1) do laundry 2) buy more clothes 3) just wear something that's laying on the floor and doesn't smell that bad. 

    On a related note, the spammers have deemed my comments worth spamming.  It was kinda sad really.  Someone left an post about how they were really enjoying my posts and how I should keep it up.  Put a bit of a hop in my step.  Too bad their link took me to a site were I could learn how to buy a house with some mortage I recieved from someone so shaddy they resort to lying about my posts being worth reading to get me or others to make an $250,000 investment.  Really broke my heart realizing that nobody loves me.  Anyways,  I'm am honored to be deemed worth their time and effort.  Random comment spammer, you are one crazy S.O.B., but you have to admire your insane desire to con people out of their money.

    Posted Dec 15 2003, 10:42 PM by Phil Scott with no comments

  • sTICKEYkEYS

    Sometimes I'll go to type something in, and I'll be holding down the shift key.  Lock, loaded and ready to write one kick ass sentence.  The problem is that my brain kinda forgets what I'm doing.  No big deal, I'm used to it.  But the next thing I know BEEP StickeyKeys has turned on.  And in a rush of confusion that can only be brought on by when your brain is at idle and suddenly gets beeped at, I simply hit enter.  God help me at this point.  Pressing shift acts like the caps lock key, the caps lock key seemingly makes the little light on the keyboard mean the opposite of whatever it indicates, and I'm pretty sure the Scroll look key and the SysRq keys switch functions too.  Any combination of shift, caps lock and the letter n seemingly simply set caps lock to the opposite of whatever I think it should be at that point.

    It's a little humbling to realize that sometimes my brain will cause me to type at a speed that Microsoft has assumed could only be brought on by a physical disability.

    Posted Dec 12 2003, 07:25 PM by Phil Scott with 2 comment(s)

  • KYdotNet: Improving .NET Application Performance and Scalability

    Next Tuesday the local INETA group is meeting and Tim Landgrave is presenting a topic on Improving .NET Application Performance and Scalability.  Normally, making it to these meetings is kinda a pain for me so I've never actually gone to them (everytime I've had a free Tuesday evening it's been something like “Using Delegates” or something else insanely boring).  Anyways, as of right now I think I'll have that night free, and I'd to see some other people's ideas on application performance and scalability.  I can't help but think that he'll simply be presenting the “Improving .NET Application Performance and Scalibility” Patterns & Practices or rehash of what was in the webcast (I can't find a link for it, anyone?) based on the name.  Tim is the RD for Louisville, so perhaps that might be interested to hear him talk.

    Anyway, anyone going?

    Posted Dec 11 2003, 03:30 PM by Phil Scott with 5 comment(s)

  • Logging on as SA. It Never Fails

    From books on-line:

    System administrator (sa) is a special login provided for backward compatibility. By default, it is assigned to the sysadmin fixed server role and cannot be changed. Although sa is a built-in administrator login, do not use it routinely. Instead, make system administrators members of the sysadmin fixed server role, and have them log on using their own logins. Use sa only when there is no other way to log in to an instance of Microsoft® SQL Server™ (for example, when other system administrators are unavailable or have forgotten their passwords).

    Everytime I teach a SQL Server course, I tell about the horrors of having an application logging in as sa.  I tell them that if you must run in mixed mode, don't assign sa a password, assign it a passsentence.  You've got 128 letters, use them all.  How about "This is my sa pâssword!  Every time I use sa I will do 100 pushups so I can beat up geeks who tell me not to use it!@#$%^&*()[]{}"

    I think that's a pretty safe password.  120+ characters, numbers, symbols, mixed case and a little international flava thrown in too.  You'd need one dedicated individual to launch a brute force attack on that password (my estimate is that it would take about 1.1e267 tries to guess it with a brute for attack).

    Anyways, every single time I mention this in a SQL Server course, at least one person (sometimes two or three) tells me that some accounting package or cash register system requires them to login with the sa account.  And even worse, the password will ALWAYS be one of three things: password, admin or a blank password.  So they always try to change it to something more secure, and the app will basically implode on itself because it requires the sa account with that password because they've hard coded it like that.  As Charlie Brown would say, "ARGHHHHH."

    Ok, if you are one of the people who have no idea why this is a bad idea, let me break it down for you (if you are a database guru (or even just not security-impaired individual) you might want to stop reading because this will probably be boring to you (unless you like laughing at the misfortune of others)).  This is all kinds of bad-times.  For a quick security review, remember that writing a secure app is like defending a castle.  You have to defend all possible ways in.  An attacker only has to find one weak spot.  The more layers of security, the easier it will be for you to defend.

    SQL Injection Attacks.
    Steven Livingston broke it down nicely in a past post, so I'm not going to cover it again.  You can use Google to search for SQL Injection for more information.  Anyways, I get “we do security through the user interface” quite a bit.  Well that's great.  Just make sure that you have bullet proof validation code.  And pray that your newly hired intern that you've got working on some trivial reporting aspect of the app also writes bullet proof code.  Oh, and stored procedures will not always save you.  Anyone ever seen a stored procedure that has code that looks like this: "exec ('SELECT FirstName, LastName from Employees WHERE City IN (' + @CityList + ')'"?  You and I may be security experts, but all it takes is someone else on our team who was up late drinking Martinis and playing Prince of Persia to come in a introduce a whole slew of bad times.  For more SQL Injection fun, Ted Neward has a really nice post on SQL Injection attacks and sillyness vendors are guilty of.

    Brute Force Attack
    Guess what SQL Server doesn't do?  Lock out accounts after x amount of bad logins.  You can try as many password combinations as you want.  And the best part?  You already know the username!  Yea haw!  In 10 minutes, I wrote an application that scans the network looking for SQL Servers, and tries 2000 common admin passwords.  The hardest part was finding a text file with passwords and remembering how to read in textfiles (XML, how you spoil me).  For a single server, it can do all 2000 passwords in less than 10 seconds.  Guess what...it can find “admin” as a password pretty easily. 

    “Who cares, we are behind a firewall!” you say?  Guess what?  You guessed it, most attacks come from within the firewall.  All it takes is one sales person to run an attachment that launches this attack.  Block exes, scrs, cmds, bats, .pifs and whatever executables as attachments?  Great!  But all it takes is one person to write an old school virus that attaches itself to a floppy disk, or someone gets it via an attachment from their hotmail account and it's hamster huey and the big kablooie time. 

    Right-click, open with Notepad
    You can view connection strings from notepad you know.  You can view any string really.  Take a look at this program, creatively called Strings.  A little search for password= would work nicely.  I'd be amazed that if people logging into SQL Server with an sa account could spell DES, let alone know to encrypt connection strings.

    The scary:

    XP_CMDSHELL
    This is what always gets people a little nervous.  In class, I tend to format partitions from a text box in Visual Basic using XP_CMDSHELL.  I'll also create domain users with a password of my choosing.  All kinds of fun stuff.  Give me access to XP_CMDSHELL and you've given me the world (well, at least the local computer and perhaps the network).  And you just know that people that login to SQL Server as sa also give SQL Server domain admin permissions...

    Subtle Data Changes
    Someone dropping a database or formatting a hard drive doesn't scare me.  We've got backup tapes.  What scares me is someone writing code that makes subtle changes.  Perhaps flipping numbers in address or phone numbers.  Deleting a character from an e-mail address.  Adding tiny amounts to purchases or inventory levels.  Things that might not be figured out for week, way past when our backup tapes get rotated back into circulation.

    So, how do you solve this?  First of all, don't log on as sa, dummy.  If you need to do some "admin" like tasks, break them off into a separate application.  And even then make sure you need the sa level of security.  I'd create a separate login with "backup operator" privileges, or whatever else is needed.  I'd also HIGHLY recommend not even using SQL Server authentication.  Windows Auth is default for a reason.  It's not that hard to use, in fact you might even find it easier (and for the love of god, don't require people to log in as Administrator to use the app too!!!!!). 

    Posted Dec 11 2003, 09:00 AM by Phil Scott with 3 comment(s)

  • Football Loving Geek

    Like any good football loving geek (I was nicknamed the Michael Vick of Intramural Football at my college BTW), I was intrigued by our current situation involving USC, LSU and OU.  I personally think that Michigan is going to beat USC and OU will beat LSU, so I really am not going to get flustered over that aspect of the polls.  But really has me interested is the statistics part of things.  Now, I never strived in my statistics courses (I called the courses sadistics 101), but you throw football into the mix and suddenly I want to bust out the TI-83 and come up with my own computer rankings to rule them all.

    If you follow football, you probably know the computer rankings were required to drop the margin of victory data from their rankings.  Meaning a win of 3 points is just as good as a win of 28 points.  This I understand.  It keeps certain teams from running up the score on Southern North Carolina Polytech A&M State to help them in their computer rankings.  Of course, this also means a loss of 28 points is just as bad as a loss of three points.  I figure any team that can't prevent a team from running up the score on them doesn't even belong in consideration for BCS quality games.  But a team that gets blown out vs a team that losses in three overtimes might have something to say about the “quality losses.”

    This of course has led me on the great search for college football stats available in XML format (hell, I'll take CSV.  Not with a smile, but I'll take it).  Really I just need the scores of the games to write my brilliant system that will save college football as we know.  Anyone know of a source?  The NCAA.org seems to have the data, but in PDF format.

    Posted Dec 08 2003, 10:48 PM by Phil Scott with 2 comment(s)

  • Stupid Install Tricks

    I never knew this, so it's new to me (duh).  Anyways, if you press shift-F10 during a windows setup you get a command prompt.  What's the importance of this?  You can play freecell while setup runs.

    Posted Dec 08 2003, 10:05 PM by Phil Scott with 4 comment(s)
More Posts Next page »
Terms of Use