Wednesday, April 9, 2014

Everything you need to know about the Heartbleed SSL bug

Wednesday, April 9, 2014

Massive. Huge. Catastrophic. These are all headlines I’ve seen today that basically say we’re now well and truly screwed when it comes to security on the internet. Specifically though, it’s this:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Every now and then in the world of security, something rather serious and broad-reaching happens and we all run around like headless chicken wondering what on earth it means. Did the NSA finally “get us”? Is SSL dead? Is the sky falling? Well it’s bad, but not for everyone and quite possibly not as bad as many are saying it is. Most of the early news has come via heartbleed.com (a site created by Codenomicon) which, if I may say so, has done an excellent job of standing up a very nice little website and branding the bug:

Heartbleed logo

But it’s actually a lot more complex than the shiny logo suggests. It doesn’t help that it’s not an easy concept to grasp and that alone compounds the confusion and speculation about what the bug really is, what the bug is not and perhaps most importantly, what you need to do about it. I’m going to try and distil the issue into a set of common questions people are asking – Heartbleed in a nutshell, if you like.

Read more

Thursday, April 3, 2014

Microsoft MVP again for 2014! (and what it doesn’t mean)

Thursday, April 3, 2014

So here’s how it works, for those who are curious: every year on one of four quarterly intervals, Microsoft chooses a bunch of people to give a shiny award to, some of for the first time, some of them who are backing up from previous awards. Much discussion and analysis goes into who should get these (as far as I understand it), but in a nutshell, this is what it’s all about:

The Microsoft Most Valuable Professional (MVP) Award is our way of saying thank you to exceptional, independent community leaders who share their passion, technical expertise, and real-world knowledge of Microsoft products with others. It is part of Microsoft’s commitment to supporting and enriching technical communities. Even before the rises of the Internet and social media, people have come together to willingly offer their ideas and best practices in technical communities.

I feel very privileged to have received my fourth award yesterday. As I’ve been confronted by a bunch of MVP misunderstandings lately, I thought I’d pump out a short post on what the award doesn’t mean.

Tags:

Read more

Friday, March 28, 2014

Podcast: Wi-Fi security, Firesheep and Pineapples

Friday, March 28, 2014

A little while back I caught up with Rob Sobers at Varonis and had a good chat about wifi, XSS and various other bits and pieces related to security on the web today. I find chats like this are great for getting a candid sense of what’s going on in the industry; no scripting, no editing just straight talk on how we’re getting pwned online.

BTW – let me apologise in advance for the audio quality, things panned out such that the only way this ended up working timing wise was while I was at Dreamworld on the Gold Coast. Yes, those are rollercoasters in the background, hopefully it’s not too distracting!

Wednesday, March 26, 2014

The prophesied Windows XP and IE 8 crisis is nigh! (unless you’re in China)

Wednesday, March 26, 2014

So I’m working with someone on a bit of Azure magic the other day and I’m talking them through how to use the management portal. Well at least I was trying to talk them through it but they weren’t seeing what I was seeing on the other end of the phone. It went a bit like this:

Me: Ok, so just click on “All items”, it’s got that little symbol with all the squares next to it.

Them: Uh, I’m not seeing it.

Me: Ok, so what do you see?

Them: It looks like the site is not compatible with IE 8.

Me: Hmmm, was before, is there something in particular that’s not working?

Them: It actually says the entire thing is not compatible with IE 8, let me send you a screen grab:

Azure Management Portal Message: "This web site does not support your browser version"

Read more

Tuesday, March 25, 2014

What price might you really be paying for Woolworths “free” wifi?

Tuesday, March 25, 2014

You know how the saying goes – if the product is free then you’re the product! This works for the likes of Facebook or Google because you get hit with targeted ads. It works for LinkedIn because they can then sell premium services that grant people access to the data they collect. Question is though, how do you become the product in an era of free wifi?

The other day I noticed this for the first time in my local Woolworths supermarket down here in Australia:

Sign in Woolworhts offerring free wifi

Free wifi makes a lot of sense in certain places. In a cafe, for example, you – the customer – lingers longer and consumes more lattes. In fact it’s a drawcard to cafes – “I think I’ll just go to the one that lets me browse for free over my brekkie”. It also makes sense in airports where you’re sitting around for extended periods.

Question is, what’s the value proposition for the provider of free wifi in a supermarket? Here’s a highly mobile environment where you spend your visit wandering around from aisle to aisle. There’s no seating, no real waiting around and no apparent value proposition for offering customers web access. Except potentially, there is, and it’s actually quite devious.

Read more

Wednesday, March 19, 2014

New Pluralsight course: Web Security and the OWASP Top 10 – “The Big Picture”

Wednesday, March 19, 2014

And now for my fourth Pluralsight instalment: more OWASP! Wait – hasn’t this been done already?! Yes and no.

My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET and as the title suggests, it contains a heap of stuff on how OWASP applies to ASP.NET. In fact it contains so much stuff that it’s over 8 hours of in-depth training for developers on (almost) everything they need to know to protect their .NET web apps. By all accounts, the course has been extremely popular and has formed the basis for many an organisation’s default set of developer training resources. It’s also rated extremely well – month on month the viewership is going up and it’s rated 4.8 out of 5 by the hundreds of people that have taken the time to score it.

The big change with this latest course is that it is designed to appeal to a much broader audience in terms of both depth (detail of code) and breadth (range of technology stacks). In fact Pluralsight approached me to create this course based on popular demand for a “Big Picture” resource that could be consumed not just by those writing the code, but by their managers and their manager’s manager and basically anyone who has a vested interest in the security of their web assets. You can live in PowerPoint and Outlook and this will still make sense!

The way I decided to approach this is to stick to illustrations and higher-level explanations of each risk. I used the 2013 edition of the Top 10 this time (the previous course was the 2010 edition, although the content is very similar) and I broke each of the Top 10 risks into four parts. Let me explain:

Firstly, I give an overview of the risk explaining the attack vectors, security weaknesses and technical impacts. This is straight out of OWASP’s material and it helps contextualise the relative severity of each risk. I also outline a very high-level attack scenario. Here’s what it looks like for injection:

Injeciton overview

Read more

Tuesday, March 18, 2014

Training the next generation of developer’s to be security conscious at SSW’s FireBootCamp

Tuesday, March 18, 2014

Heard of SSW’s FireBootCamp before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a whole two months of full-assault level real world coder training.

The idea of the FireBootCamp is that it’s intense training for would-be software devs on all the good bits of Microsoft development technologies and practices. People go in with very limited experience (or possibly none at all) in working with these tools and then come up with a broad set of skills they’ve honed while building real software with professional support every step of the way.

One of the things I really like about the way SSW has approached this is they’ve gotten various subject matter experts in to talk about specific parts of the building software processes. I’m talking about things like understanding search engine optimisation, getting to grips with Web API and let’s face it, the most important thing about building software (ok, a very important thing), security. I swung by for a chat that was recorded and published which I’m happy to share with you here. (Incidentally, I love these more intimate settings where you can have a bit of fun and engage directly with people, I hope you enjoy it!)

Monday, March 17, 2014

I put my Azure website in the wrong location, now what?!

Monday, March 17, 2014

I was rather proud of my little effort last week in producing The World’s Greatest Azure Demo and by all accounts, it’s been exceptionally well received (hey, what did you expect from the world’s greatest demo?!) Anyway, this weekend I went back in and took a look at what the state I’d left my Azure subscription and saw this:

Single website running in standard mode

You see the problem? No? How about now:

Other websites running in West US region

Tags:

Read more

Friday, March 14, 2014

The World’s Greatest Azure Demo

Friday, March 14, 2014

I had an opportunity recently, an opportunity to give a really impactful demonstration of Windows Azure to people who had not yet drunk from the Microsoft cloud fountain of love. These were people from the “old world” where men were men and infrastructure wasn’t a service, it was cold, hard metal that cost a ton and stuck with you until the damn thing was puffing out smoke.

But these were also people that were attracted to the promise of the “new world”; the on-demand, auto-scaling, commoditised, we-can’t-quite-solve-world-hunger-yet-but-we’ll-give-it-a-damn-good-go promise that’s in all the PowerPoint slides they see. Now I’ve seen some very good PPT decks before, but nothing speaks to people like a working product.

There are a lot of magnificent features in Azure and all sorts of services that can pull off some pretty impressive stunts that get the geek-brigade wetting their pants with excitement, but the people you need to really convince of the awesome are rarely the ones marvelling at the process isolation of the idempotent polymorphic shape-shifter widgets (I hope the sentiment is conveyed by the ludicracy of this statement). No, the people who need convincing are the ones who want to know things like how much sooner it allows them to deliver working software to their customers, what options it will give them to cut costs and importantly in the context of this demo, they want a good high-level view of how the damn thing actually works. This is the “pitch” of this demo – those are the guys I’m trying to reach.

I set a lofty goal for this – “The world’s greatest Azure demo” – and in the context of what I’ve just described about the target demographic, I reckon it’s come out pretty good. Set a high goal then jump like mad.

THE WORLD'S GREATEST AZURE DEMO - All the awesome wrapped up into a one hour superdemo

Tags:

Read more

Wednesday, March 12, 2014

Donations, why I don’t need them and why I’m now accepting them for “Have I been pwned?”

Wednesday, March 12, 2014

So we were about halfway through watching the Wolf of Wall Street at the local cinema the other day and the iPhone starts buzzing like a mad thing. It’s on silent, of course, but you get that sense that something important is happening just by virtue of the frequency of the thing randomly jumping around in your pocket every few seconds. But it’s a night out wife my wife – a rare night out – and I’m not about to risk a sneaky glance at the phone.

Now this is a long movie (as awesome as it was), but once it’s finally over and the social etiquette allows, I take a look at what’s going on. (Ok, I snuck away to the bathroom then took a look.) Forbes has been hacked and there’s a million user accounts now floating around the web. The chorus of tweets and emails I was receiving was in equal parts to bring this to my awareness and to ask “Are the accounts now in Have I been pwned?

You see, the thing with this service is that it works best the earlier I get data in. When an event like Forbes is hitting the headlines, I want subscribers of the notification service to already know their account was popped rather than being left wondering because you can be sure it’ll be many hours and often days before the impacted company actually tells customers themselves. Plus of course getting the data up early gets HIBP into the headlines and makes it easy for concerned customers reading the morning news to actually be able to figure out if they’re impacted or not.

The problem in the above scenario was dinner – it had to happen before any downloading of pwned accounts or publishing into my system. Thing is though, dumps like this are often yoinked pretty quickly so I’ve got this potentially very small window in which to grab the data and then a slightly larger window in which to publish it. You know how painful it is to grab a 63MB zip file off the web with an iPhone?

Anyway, I explain the significance to my very understanding and supportive and beautiful and… well, you get the point. I proceed to somehow get the iPhone to do things that Jobs originally said we’d never need to. I somehow coerce the zip file off the hackers’ dumping ground and into my Dropbox whilst enjoying the first course of a lovely dinner (I think it was lovely, I was a bit preoccupied).

Here’s the point I’m driving at: Building and running this service takes sacrifices. Not much of a financial toll (although I guess you could argue there’s an opportunity loss while I’m preoccupied with HIBP), but a toll on my time which has to fit in around a more “normal” job and a young family. It’s not just loading the dumps, it’s obviously expanding the functionality and the work that had to go in as I simply did not see it becoming a raging success. I’ve had the proverbial baby, now I need to support it.

Read more