Friday, 30 November 2012

Getting deeper inside ASP.NET with ASPInsiders

Friday, 30 November 2012

One of the things I’ve really enjoyed about blogging and engaging with the development and security communities is some of the opportunities it’s opened up simply by doing thing I really enjoy. I’m talking about opportunities like the MVP award, joining up with the Friends of Redgate and numerous other perks and rewards that seem to pop up out of the woodwork.

I’m very happy to now be joining the ASPInsiders:

ASPInsiders logo

The who now?!

The ASPInsiders is a select group of international professionals who have demonstrated expertise in ASP.NET technologies and who provide valuable, early feedback on related developing technologies and publications to their peers, the Microsoft ASP.NET team and others.

Is it just me, or does that sound a little familiar?

If you have a problem, if no one else can help, and if you can find them…

The A Team

Not quite, the ASPInsiders weren’t sent to a military court for a crime they didn’t commit (at least not to my knowledge). Instead, it includes a veritable who’s who of luminaries from the .NET community, MVPs and many names within Microsoft you’ll recognise. And somehow, now me.

My hope is that this provides more opportunity for me to both develop my own understanding of ASP.NET as well as provide feedback from the community to help shape the future of the product. Clearly my focus tends to be more security-centric and indeed there are a number of areas I’d love to contribute to in this area. Of course along with all that, I really want to keep hearing from you what you love, hate or are indifferent about in the framework so as always, comments, tweets and phone calls are most welcome and I may have a bit more of an opportunity to make a difference now.

Wednesday, 28 November 2012

5 essential tips for customer care people dealing with technical queries

Wednesday, 28 November 2012

It happened again. Well actually, it happens all the time but I got inadvertently drawn into it again. I’m referring to this:

@stereosky @scampreturns @troyhunt All data on our system is totally secure. We take these concerns seriously tho & we're already...

Totally secure! Not just “pretty” secure or “really” secure but totally secure! I need to learn how to do that.

Now this was in response to the following tweet:

So @wishgenie hasn't responded to my tweet about sending my password in plain text. Just so you know. It's apparently not that important

This is a familiar banter; a concerned customer raises a valid point about the technical implementation of a system and they’re brushed off by a customer care Oompa Loompa with a totally insufficient or incorrect response and then things escalate from there. It’s exactly what happened when Tesco did this a few months back:

@troyhunt Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

That now infamous tweet has been retweeted over 2,000 times and the subsequent blog post read about 150,000 times. Bugger for Tesco.

The problem, of course, is that customer service folks are usually the coalface for the organisation’s social media presence are simply not equipped to provide technical responses and nor should they be expected to. But there are a few simple tips they could apply that would save them from spiralling into an unwinable online embarrassment.


Read more

Thursday, 22 November 2012

Podcasting with SC magazine: The anatomy of a Facebook gift card scam

Thursday, 22 November 2012

This week’s post on Disassembling the Woolworths Facebook scam has had a pretty good run. In part, I suspect this is due to the approaching holiday shopping season and in part because I know this scam is really doing the rounds and being seen by a lot of people.

Yesterday I had a chat with Dan Kaplan from Secure Computing Magazine for their podcast and pointed out a number of factors that make scams like this successful:

  1. They’re endorsed by your friends. You’re seeing people you know like and share these scams as that’s a condition of their “entry”. They have credibility.
  2. They’re a very low-overhead for the scammer. This is nothing more than a web page.
  3. There aren’t really any native browser defences against this sort of scam unless the site they’re running on is flagged.

Compare that to the relative difficulty of mounting an email campaign:

  1. It’s costly in so far as every email has a price. It might be very small or it might be orchestrated by botnets but that also has a cost. Certainly it’s more than just standing up a single web page.
  2. Victims are cottoning on. People are pretty used to filtering out junk these days and are naturally suspicious of email.
  3. Mail servers and clients provide native defences. It’s a very small portion of email that actually makes it into my Hotmail inbox and turns out to be junk.

In short, get used to seeing social media generated scams. The risk is low and the ROI is too good to pass up!

Monday, 19 November 2012

Disassembling the Woolworths Facebook scam

Monday, 19 November 2012

Who wants free stuff? C’mon, everybody wants a free lunch, right? Yes, yes they do and that’s precisely the trigger used in scams like this one.

Recently I wrote about the mechanics of another Facebook scam where the “bait” was photos of a salacious school girl. Many people – including female friends and my mother in law – readily fell for that one. This one takes quite a different and rather cunning approach which chains together numerous illusions and other means of deceiving the unsuspecting victim.

It all starts with a Facebook friend sharing a link to a page with the promise of free goods just like this:

Get a Free $400 Woolworths voucher Now. (127 Left)

Which brings you to the website at Many of you reading this will click through to that link and end up at Google so let me start tearing this thing apart and explain what’s happening.

Read more

Monday, 5 November 2012

Hacktivism is dead. Long live opportunism!

Monday, 5 November 2012

So today is November 5 and as promised, the global anonymous tirade has descended. The victims so far are both numerous and diverse; PayPal, ImageShack, Lady Gaga (I’m told this outage is a bad thing), Saturday Night Live and so on and so forth.

Down here in Australia where our clock ticks over before most of the rest of the world, the November 5 shenanigans have started a little earlier. What that means is we’ve got a whole lot of sites looking like this right now:

Hacked by Anonymous

These sites include Ascension Australia (a body, mind and spirit festival down in Melbourne), Semcorp (a local web development company) and the Quality Lifestyle Alliance who, well, I might let Kath Crosby sum this one up:

This is not a Government site. It's an NGO. Fuckwits. RT @AuAnon: Australian Government  Hacked by Anonymous for Nov 5th

Keep in mind that the roots of this loosely knit collectively we call Anonymous were founded on the hacktivist creed of the using computers as a means of protest to promote political ends. So the question is this: What protest are they making by taking down a hippie festival, a small web development company with poor security and an NGO helping people with disabilities? What cause is this supporting?

The answer is very easy and it’s simply this: Nothing. Nada. Zilch. This is no more about supporting a cause than when LulzSec hacked 26,000 accounts out of last year (yes, that site is what it looks like so exercise caution!) Which brings me neatly to the point of this post: It’s not about hacktivism any more, it’s about exploiting low-hanging fruit or in other words, opportunism.

Read more