Why using the maiden name of your mother as a password reminder is a bad idea…

February 16, 2014

Sites like PayPal still ask you for a “security question” (or two in case of PayPal). This question will be asked, in cases where you cannot use your login any more (e.g. when you don’t remember the password) and the email address is not usable any more (e.g. you did register your account using your business email address and you left the company). In such cases one or two questions will be asked that “only you can know”.

This concept is really old: you may have seen it in many movies even before the age of the internet when one person asks the other for details about a situation from the past. Unfortunately in the age of information distribution over the internet the core assumption of this concept is not true: your mother’s maiden name is known by many people. Surprised? Have a look at some of the nice services:

http://www.myheritage.com/

http://www.ancestry.com/

https://familysearch.org/

Such services do work with your data – and it’s not always under your control who enters data about you: your sister might have set up a family tree that includes her parents, grant parents and … you. So your name might have already been published to the internet with a connection to your grandpa – and this connection might provide the information of interest: the maiden name of your mother.

The second information might be the name of your first pet – which might be available through your Facebook profile?

So you can see: “real” information might not be something you should rely on for “security questions” – no matter what they are for, today. Tomorrow the site you provided a nearly public answer to such a question might use it to “protect” the change of your email address for password recovery procedures.

A better approach might be to let a tool generate a random string (https://lastpass.com/ does have one, if you like open source: http://passwordsafe.sourceforge.net/) and use that as an answer to one of the questions. Such questions are just another password – use long, unpredictable strings and don’t reuse them on different sites.

Advertisements

EntLib extension to execute queries with less code

January 21, 2014

For internal security training of SDX developers I’m currently preparing a really small web-application with different vulnerabilities. The goal is to have an application that does have all of the OWASP Top 10, so that I can use it to make my colleagues search them and discuss mitigations.

One of the problems I want to include is of course SQL injection. Since my favorite way of accessing data is the DAAB of the Enterprise Library, I did use it in this project, too. When I came to SQL injection, I realized that I cannot use SPROCs as usual, but need to include the SQL statements into my code – using SPROCs does usually include the usage of SQL parameters, which does protect you (as long as you don’t construct SQL manually inside the SPROC) from injections issues.

This way I came across the issue of using parameters with SQL statements in DAAB. This is not really an “issue” as long as you accept to create a command object, then use the database object to add the parameters (one line of code per parameter) and finally execute the command to get the result. But I don’t like to repeat such steps and I wanted to use something more “elegant”, so I wrote a little extension method for the Database object of EntLib:

/// <summary>

/// The same as <see cref="Database.ExecuteScalar(System.Data.Common.DbCommand)"/>, but adds the properties of 

/// <paramref name="parameters"/> as parameters to the query.

/// </summary>

/// <param name="db"> The database. </param>

/// <param name="sql"> The SQL statement containing parameters. </param>

/// <param name="parameters"> The parameters object (might be of anonymous type). </param>

/// <typeparam name="T">The type of the result value.</typeparam>

/// <returns>The result of the query.</returns>

public static T ExecuteScalarWithParameters<T>(this Database db, string sql, object parameters)

{

    var cmd = db.GetSqlStringCommand(sql);

    AddParameters(db, cmd, parameters);

 

    return (T)db.ExecuteScalar(cmd);

}

 

/// <summary>

/// Adds parameters to the <paramref name="cmd"/> based on the properties of <paramref name="parameters"/>.

/// </summary>

/// <param name="db"> The database. </param>

/// <param name="cmd"> The command to add the parameters to. </param>

/// <param name="parameters"> The parameters object (might be of anonymous type). </param>

private static void AddParameters(Database db, DbCommand cmd, object parameters)

{

    foreach (var parameter in parameters.GetType().GetProperties())

    {

        var propertyType = parameter.PropertyType;

        var type = propertyType == typeof(string) ? DbType.String

                 : propertyType == typeof(int) ? DbType.Int32

                 : propertyType == typeof(Guid) ? DbType.Guid 

                 : DbType.Object;

 

        var name = parameter.Name;

        var value = parameter.GetValue(parameters);

 

        db.AddInParameter(cmd, "@" + name, type, value);

    }

}

As you can see it inspects a value of type “object” in order to use its properties to build up the parameters. This way you can use anonymous types to pass the parameters to the SQL statement:

private string CustomerIdByName(string customerName)

{

    const string Sql = "SELECT TOP 1 Id AS AspNetUserId " + 

                       "FROM AspNetUsers " + 

                       "WHERE UserName = @userName";

    var database = new SqlDatabase(this.ConnectionString);

    return database.ExecuteScalarWithParameters<string>(

        Sql, new { userName = customerName });

}

I don’t think this is a really new invention, but it may be useful for you, so I want to share it.

Be aware that this code is far from being perfect: currently there’s no error handling, no input validation to guide the developer, it only handles strings, integers and GUIDs, etc., so you might not use it “as is” in production code. But since I did not find an example how to do this with Google, it might be the code snippet giving you an idea on how to keep your application code even smaller.


C# for Systems Programming

December 29, 2013

C# for Systems Programming

With C# Microsoft seem to be on the right was – at least on a way I really like.

As long as .Net has been out I wanted to be able to write code for every platform and every purpose in the same language. Of course each language has it pros and cons for different “problems”, but I simply want to be able to write all kind of software (web-applications, fat clients, services, drivers …) for all kind problems (graphical representation of data, database interface, rich business logic, machine learning / ai …) with one single language. Often you don’t need the perfect fir of a language to a problem domain – you don’t need to use CUDA or OpenGL to add a little “busy animation” to your WinForms application, you would do that in C# with GDI+.

In the blog post Joe Duffy writes about some progress in making C# capable to be applied when implementing “system programming”. In short: the extensions will add RAII, deterministic destruction, real immutability (something I really would like to have in C#) and combine that with existing C# features like modern exception handling, type safety and all the things we all like with modern languages.

In mid 2014 the team has a “checkpoint”, let’s see when we will get it…


Developer Productivity and Cost of Tools

December 3, 2013

As a consultant for software development I do work about 90% on machines my customers own and manage. Often the software already installed on such a machine is an out dated Windows Server 2008 (sometimes even Server 2003), Office, Visual Studio 2010 (very rare: VS2012). The hardware is managed by a provider like HP, IBM, etc. and consists many times of a 4-core Intel with a traditional hard disk of about 250 GB (sometimes 2 of them using one as a backup device) and 8 GB of RAM. Some of them use virtualization (VMWorkStation as a hyper visor – or hyper-v which I prefer) to deploy standard hard disk images. Mostly on such machines as a consultant you have to work without the permission to install any software, because that would impose a risk for the customer.

I live and work in Germany. As you might know, this is not one of the countries with low labor cost – if you trust sources like GULP, the average cost of one hour “IT-free lancer” is about 70,- to 79,- €.

You might have a look at your preferred hardware shop to see that additional 8 GB of RAM you can have for about 75,- € (incl. VAT) and a 250 GB SSD for about 150,- € – so that’s worth about 3 hours of work if you want both of them. Assuming that you might save about 5% of your time when working with a much faster system (compile time, running the rest environment etc.), you save about 0.05*8*20 = 8 hours per month running that additional hardware. Installing Visual Studio did cost one of my customer 2 hours on the “cheap” machine – I’ve just installed VS2012 on my Laptop with a time invest of less than 20 minutes.

There are plenty of productivity tools developers do use – Fiddler, ReSharper, CodeRush, StyleCop, VSCommands, Beyond Compare just to name a few of them. Running these tools will not only speed up coding (so increase productivity), but also increase quality, because some of them will warn the developer about common typing mistakes. I would roughly estimate another 5% increase of productivity by letting use developers the tools of there choice – opening another 8*75€ = 600,- € opportunity of saving money per month and developer.

License cost? Some of the tools do not have any license cost attached to them (like StyleCop) others have already been licensed by the developer (in my case ReSharper, VSCommands and Beyond Compare), so many times you don’t need to care at all about license cost. Management of the PC? You might already have virtualized the development environment – just create a snapshot of the standard installation, then let the developer install whatever she/he needs and in case of any trouble: restore the snapshot. So: no additional issues with the installation of additional software.

Don’t get me wrong: I respect the choice some of my customers made about how to manage the systems and how to spent there money, but I also want to make clear, that investing the money of 3 hours worth of developer time + some more relaxed policies may save them more than one day of developer time per month. Since the 75,- € per hour rate is not the average cost of development freelancers but the average of all IT freelancers together (including some students that do web design for SOHO and many administrators that typically cost less than a Java or .Net developer), this calculation might be wrong for your scenario – your cost for development consultants may be up to twice as high. Have a look at the cost of your development staff and think of 5 to 10% savings by just installing a SSD, some more RAM and letting the developers use the tools they know best.


Security from the ground up: developers need to learn – again …

November 28, 2013

Not just since Snowden did publish information about more than 50.000 NSA-hacked computers and hacking of “internal” data connections between different locations of big internet companies we should be alarmed that “internal” does not mean “free of threats”. Stuxnet told us that even completely disconnected systems might be targets for cyber criminals and the latest hacks of Adobe and some federal US agencies show us that it’s not enough to have some firewalls and some highly trained personnel – defending a network is much more difficult than attacking one.

As an attacker you have to find just one vulnerability you can use to establish a presence inside the network. Inside an application you need just one single injection vulnerability and the attacker might be able to read your complete database (have a look at Havij and see here how easy it is).

As a defender you cannot stop analyzing the systems and the code when you did find one single vulnerability – you always need to analyze all. Not only by using some fancy vulnerability scanners – you need to perform white box testing of all of your applications.

But if you start pen-testing, it’s already too late to build security in a cost efficient way. If you have to change the internals of authorization inside your application or need to rework your data access because of possible injections, you will have to spent a lot of time and money – this needs to be fixed while development, not when the code is already finished.

Disclosure: I work for SDX AG as a Chief eXpert – a software development consultant not only responsible for web application architectures of our customers, but also for the internal SDX IT infrastructure and for all topics related to application security.

At our next “Office Day” (a monthly event where all SDX consultants meet at our “home base” for business updates and a nice chance to have some tech talks with colleagues) I will give a lesson about security related issues and solutions for .Net web development – and so should you. It’s definitely time to start learning and teaching all kind of security related information for developers. It’s important to make all developers understand that using SSL does not protect an application against hacking using injection, xss, csrf or configuration errors.

As a good starting point: have a look at the OWASP Top 10. Hire a consultant to pen test your applications (and find yourself something you expect her/him to find). Have a look at the OWASP Application Security Verification Standard Project. As a .Net developer the blog of Troy Hunt should be on your reading list.

There is so much to learn – every day. Start now or you will be hacked tomorrow.


Good video: “Building consistently good software with ordinary people” – Pieter Hintjens

November 18, 2013

In this talk, Pieter Hintjens does describe many things I 100% agree on. I think it’s a “MUST VIEW” video for developers and more important for technical leads:

“Building consistently good software with ordinary people” – Pieter Hintjens

Your “project” (better your “product”) does not have to be open source to follow Pieters suggestions. You also can apply this in large companies, but that would mean that you have to change the way other projects deal with your project: they have to assume that your product is a “3rd party library” and your process might differ completely from there process.

Main point to get from this for in my opinion: rapid and continous deployment is 100% possible if you allow externals to “inject” test cases (unit-tests) into your project. There are many tools that support such a process (TFS with continous integration, test and delivery is the one I’m familar with), so if you want happy users of your solution for a problem: reengineer your processeses, start automate test/buid/deployment and shorten deployment iterations. You might need to use “evolution” rather than “revolution” to move to a better process, but it’s absolutely possible to do that.

Even if you disagree with his way of software development or if you think your organization does not allow such a way of developmen (because your organization is too complex, or simply by policy), you should view the video and simply think about it and what ideas you can apply to your projects to make them better.


Linux HID Code enables Memory-Overwrite via USB?

September 4, 2013

There seem to be some serious issues with the current implementation of the HID code in some Linux distributions (see this: “Linux HID security flaws”). What this imho means is: if you use Debian (Wheezy) or Red Hat (Fedora 19, Enterprise Linux 6) in environments where the USB port is accessible to unauthorized persons, you are at risk.

Exploitation of this vulnerability seem to be so quick and easy for a prepared attacker, that I think you should be aware of that risk – a “Teensy USB Development Board” might be enough to compromise a vulnerable system within seconds.


Sylvio's Infobox

Aktuelle Themen rund um SQL Server, BI, Windows, ...

Meredith Lewis

Professional Digital Portfolio

Vittorio Bertocci

Just another WordPress.com weblog

ScottGu's Blog

Just another WordPress.com weblog

AJ's blog

Thoughts and informations I think worthwhile to share...

Outlawtrail - .NET Development

Architecture & Design

SDX eXperts Flurfunk

Just another WordPress.com weblog