Wednesday, April 23, 2014

It’s RunAs Radio, it’s Heartbleed and it’s still got a way to run yet

Wednesday, April 23, 2014

Day 16: The news headlines continue. Conspiracy theories keep emerging. The FUD evolves as people take further liberties with the truth (no mate, you didn’t get done by Heartbleed, you just chose a crap password).

A few days ago I caught up with Richard Campbell of RunAs Radio fame to talk about Heartbleed. You may remember Richard from such .NET Rocks episodes as talking security with Carl, Richard and Troy and Hacking yourself first with Carl and Richard on .NET Rocks. RunAs tends to be a more IT infrastructure orientated show but the thing about Heartbleed is that it really know no bounds; sys admins, devs and even consumers are copping it left right and centre.

This show panned out to be more about a couple of guys talking through how the bug and the security implications are panning out rather than being about what the Heartbleed bug is per se (read my post on Everything you need to know about the Heartbleed SSL bug if you want to know that). It’s about 33 minutes and you can grab it from the RunAs Radio site or listen to it here:

Read more

Tuesday, April 22, 2014

Get hacked, get trained for free - the web security crisitunity

Tuesday, April 22, 2014

If I’m honest, I’ll admit to a certain degree of schadenfreude when Tesco got hacked recently, I mean I did call these risks out a long time ago and they did choose to largely ignore them. What struck a bit of a nerve though was not just that they got hacked after turning a blind eye to the issues I’d found, it’s that by all accounts, they were compromised by very well-known risks. I mean c’mon – these are obvious, right?! Perhaps it was just another case of “you don’t know what you don’t know”.

But it did get me thinking – how many of the attacks we’ve seen in recent years simply exploited well-known risks? Sure, in hindsight the flaws that enabled the attackers to do bad things are usually obvious, but how often do we (and I say that collectively as the software industry) know these risks very well yet still let them creep into our software? I reckon it’s very often – too often.

When I wrote the launch blog post for my latest Pluralsight course the other day, I reflected on how even as I was recording the material on vulnerable WordPress plugins, Forbes got popped by what I speculated appeared to be that very risk. That course was about the OWASP Top 10 and is a “Big Picture” course, that is it’s a higher level overview than most my others and it’s designed to be easily consumable by pretty much anyone involved in the software process, not just developers. But it got me thinking – just how much of the Top 10 can we easily point to and say “There – those guys got pwned precisely because they didn’t understand their Top 10”. I’m going to write about it in more detail at a later date, but I reckon it’s lots. Actually I reckon it’s most, at least that’s what the anecdotal evidence suggests. I mean how often do we look at an attack (the recent Heartbleed bug aside) in retrospect and say, ooh, I’ve never seen that before?!

Around the same time as I was recording this course, Pluralsight was also thinking about security and we discussed it at length many, many times. In fact they agreed that security was so important that if an org fell afoul of bad security, they deserved a bit of a break in the form of free security training. Until April 25 (yes, only a few days from now), if you work for an org that’s been pwned in the last year, head on over to my post on their blog titled Online attacks are preventable. Protect yourself with free Pluralsight training for 1 month! then fill out the form and nab yourself a month of free training from the security library.

So that’s the crisitunity – yes, you need to have fallen on the unpleasant side of internet nasties but hey, now’s the time to take something away from that experience and develop the competencies to avoid it happening again. Chances are that most web software being built right now contains the very bugs that these courses address and could lead to the next set of web security news headlines. Now who can pass this onto Tesco for me? :)

Wednesday, April 9, 2014

Everything you need to know about the Heartbleed SSL bug

Wednesday, April 9, 2014

Massive. Huge. Catastrophic. These are all headlines I’ve seen today that basically say we’re now well and truly screwed when it comes to security on the internet. Specifically though, it’s this:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Every now and then in the world of security, something rather serious and broad-reaching happens and we all run around like headless chicken wondering what on earth it means. Did the NSA finally “get us”? Is SSL dead? Is the sky falling? Well it’s bad, but not for everyone and quite possibly not as bad as many are saying it is. Most of the early news has come via heartbleed.com (a site created by Codenomicon) which, if I may say so, has done an excellent job of standing up a very nice little website and branding the bug:

Heartbleed logo

But it’s actually a lot more complex than the shiny logo suggests. It doesn’t help that it’s not an easy concept to grasp and that alone compounds the confusion and speculation about what the bug really is, what the bug is not and perhaps most importantly, what you need to do about it. I’m going to try and distil the issue into a set of common questions people are asking – Heartbleed in a nutshell, if you like.

Read more

Thursday, April 3, 2014

Microsoft MVP again for 2014! (and what it doesn’t mean)

Thursday, April 3, 2014

So here’s how it works, for those who are curious: every year on one of four quarterly intervals, Microsoft chooses a bunch of people to give a shiny award to, some of for the first time, some of them who are backing up from previous awards. Much discussion and analysis goes into who should get these (as far as I understand it), but in a nutshell, this is what it’s all about:

The Microsoft Most Valuable Professional (MVP) Award is our way of saying thank you to exceptional, independent community leaders who share their passion, technical expertise, and real-world knowledge of Microsoft products with others. It is part of Microsoft’s commitment to supporting and enriching technical communities. Even before the rises of the Internet and social media, people have come together to willingly offer their ideas and best practices in technical communities.

I feel very privileged to have received my fourth award yesterday. As I’ve been confronted by a bunch of MVP misunderstandings lately, I thought I’d pump out a short post on what the award doesn’t mean.

Tags:

Read more

Friday, March 28, 2014

Podcast: Wi-Fi security, Firesheep and Pineapples

Friday, March 28, 2014

A little while back I caught up with Rob Sobers at Varonis and had a good chat about wifi, XSS and various other bits and pieces related to security on the web today. I find chats like this are great for getting a candid sense of what’s going on in the industry; no scripting, no editing just straight talk on how we’re getting pwned online.

BTW – let me apologise in advance for the audio quality, things panned out such that the only way this ended up working timing wise was while I was at Dreamworld on the Gold Coast. Yes, those are rollercoasters in the background, hopefully it’s not too distracting!

Wednesday, March 26, 2014

The prophesied Windows XP and IE 8 crisis is nigh! (unless you’re in China)

Wednesday, March 26, 2014

So I’m working with someone on a bit of Azure magic the other day and I’m talking them through how to use the management portal. Well at least I was trying to talk them through it but they weren’t seeing what I was seeing on the other end of the phone. It went a bit like this:

Me: Ok, so just click on “All items”, it’s got that little symbol with all the squares next to it.

Them: Uh, I’m not seeing it.

Me: Ok, so what do you see?

Them: It looks like the site is not compatible with IE 8.

Me: Hmmm, was before, is there something in particular that’s not working?

Them: It actually says the entire thing is not compatible with IE 8, let me send you a screen grab:

Azure Management Portal Message: "This web site does not support your browser version"

Read more

Tuesday, March 25, 2014

What price might you really be paying for Woolworths “free” wifi?

Tuesday, March 25, 2014

You know how the saying goes – if the product is free then you’re the product! This works for the likes of Facebook or Google because you get hit with targeted ads. It works for LinkedIn because they can then sell premium services that grant people access to the data they collect. Question is though, how do you become the product in an era of free wifi?

The other day I noticed this for the first time in my local Woolworths supermarket down here in Australia:

Sign in Woolworhts offerring free wifi

Free wifi makes a lot of sense in certain places. In a cafe, for example, you – the customer – lingers longer and consumes more lattes. In fact it’s a drawcard to cafes – “I think I’ll just go to the one that lets me browse for free over my brekkie”. It also makes sense in airports where you’re sitting around for extended periods.

Question is, what’s the value proposition for the provider of free wifi in a supermarket? Here’s a highly mobile environment where you spend your visit wandering around from aisle to aisle. There’s no seating, no real waiting around and no apparent value proposition for offering customers web access. Except potentially, there is, and it’s actually quite devious.

Read more

Wednesday, March 19, 2014

New Pluralsight course: Web Security and the OWASP Top 10 – “The Big Picture”

Wednesday, March 19, 2014

And now for my fourth Pluralsight instalment: more OWASP! Wait – hasn’t this been done already?! Yes and no.

My first course from April last year was OWASP Top 10 Web Application Security Risks for ASP.NET and as the title suggests, it contains a heap of stuff on how OWASP applies to ASP.NET. In fact it contains so much stuff that it’s over 8 hours of in-depth training for developers on (almost) everything they need to know to protect their .NET web apps. By all accounts, the course has been extremely popular and has formed the basis for many an organisation’s default set of developer training resources. It’s also rated extremely well – month on month the viewership is going up and it’s rated 4.8 out of 5 by the hundreds of people that have taken the time to score it.

The big change with this latest course is that it is designed to appeal to a much broader audience in terms of both depth (detail of code) and breadth (range of technology stacks). In fact Pluralsight approached me to create this course based on popular demand for a “Big Picture” resource that could be consumed not just by those writing the code, but by their managers and their manager’s manager and basically anyone who has a vested interest in the security of their web assets. You can live in PowerPoint and Outlook and this will still make sense!

The way I decided to approach this is to stick to illustrations and higher-level explanations of each risk. I used the 2013 edition of the Top 10 this time (the previous course was the 2010 edition, although the content is very similar) and I broke each of the Top 10 risks into four parts. Let me explain:

Firstly, I give an overview of the risk explaining the attack vectors, security weaknesses and technical impacts. This is straight out of OWASP’s material and it helps contextualise the relative severity of each risk. I also outline a very high-level attack scenario. Here’s what it looks like for injection:

Injeciton overview

Read more

Tuesday, March 18, 2014

Training the next generation of developer’s to be security conscious at SSW’s FireBootCamp

Tuesday, March 18, 2014

Heard of SSW’s FireBootCamp before? It’s like those boot camps you see down at the local beaches and parks each morning, you know, the ones where a bunch of (apparently) willing participants are incessantly hammered by some drill-sergeant-like personal trainer for 30 minutes of blood, sweat and tears (I assume). But unlike this mob, the FireBootCamp folks don’t then towel off and chill for the rest of the day, instead they do this day after day, week after week for a whole two months of full-assault level real world coder training.

The idea of the FireBootCamp is that it’s intense training for would-be software devs on all the good bits of Microsoft development technologies and practices. People go in with very limited experience (or possibly none at all) in working with these tools and then come up with a broad set of skills they’ve honed while building real software with professional support every step of the way.

One of the things I really like about the way SSW has approached this is they’ve gotten various subject matter experts in to talk about specific parts of the building software processes. I’m talking about things like understanding search engine optimisation, getting to grips with Web API and let’s face it, the most important thing about building software (ok, a very important thing), security. I swung by for a chat that was recorded and published which I’m happy to share with you here. (Incidentally, I love these more intimate settings where you can have a bit of fun and engage directly with people, I hope you enjoy it!)

Monday, March 17, 2014

I put my Azure website in the wrong location, now what?!

Monday, March 17, 2014

I was rather proud of my little effort last week in producing The World’s Greatest Azure Demo and by all accounts, it’s been exceptionally well received (hey, what did you expect from the world’s greatest demo?!) Anyway, this weekend I went back in and took a look at what the state I’d left my Azure subscription and saw this:

Single website running in standard mode

You see the problem? No? How about now:

Other websites running in West US region

Tags:

Read more