Thursday, 17 February 2011

The Lessons We Should All Relearn From HBGary

Ars technica published a long (by Web standards) story yesterday about the hacking of HBGary by Anonymous. It is absolutely, positively, must-read information for all beginner Web developers — for that matter, for experienced Web developers, too.

For those unfamiliar with the story, HBGary is an information systems security consultancy. It’s not huge, but it’s been successful getting work with the federal government and several other companies.

But HBGary wanted to get bigger; to exploit the headlines and prove itself worthy of major government and corporate contracts. So HBGary hatched a couple of schemes.

One was to help Bank of America discredit WikiLeaks with a disinformation campaign and character assassinations. The other was to “unmask” the Anonymous hackers who set off several DDoS attacks against Visa, Bank of America, and others perceived as having harmed WikiLeaks.

Unfortunately, HBGary boss Aaron Barr decided to go public with his plans to expose the alleged hackers. So Anonymous decided to attack HBGary, and the rest are our lessons for the day.

Continue reading: The Lessons We Should All Relearn From HBGary »

Tuesday, 5 October 2010

Custom ErrorDocuments Available For Download

After writing so much about the ASP.NET cryptographic padding oracle exploit, and the recommended workaround of a static error document, it dawned on me that I should probably make some custom error documents for my domains.

And then I decided I should share them. So, if you’re so inclined, you can download the custom error documents I use on this site. I release all code under the latest version of the GNU GPL.

I’ve created pages for 401 (unauthorized), 403 (forbidden), 404 (not found) and 500 (internal server) HTTP errors. Here’s how they look (click thumbnails for larger image):

ErrorDocument 401 ErrorDocument 403 ErrorDocument 404 ErrorDocument 500

I designed these to be valid XHTML 1.0; to appear well in all screen resolutions from 1024 x 768 and greater; and to appear the same on most Web browsers. (Of course, I exclude Internet Explorer prior to version 7 from that list.)

This little exercise also gave me a chance to play with the Google Font API. There aren’t a lot of fonts available yet, but using the API couldn’t be simpler.

Instructions on implementing custom error document on Apache can be found here. Microsoft documents how to add customError files to your ASP.NET web.config file here.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/custom-errordocuments-available-for-download

Friday, 1 October 2010

ASP.NET Crypto Exploit Patch Now Available Through Windows Update

Scott Guthrie announced yesterday that the hotfix for the ASP.NET cryptographic padding oracle exploit is now available on Windows Update / Windows Server Update Services.

Points of note:

  • Persistent authentication cookies will need to be reset after applying the patch. In other words, if your site uses Forms Authentication, all your users will need to log in again after you apply this patch.
  • You will still be able to persist Forms Authentications sessions across versions of ASP.NET. In other words, if you have multiple applications, running multiple versions of ASP.NET, on a given domain, one Forms Authentication login will work for them all, provided they share the same data store for authentication.
  • If you run a web farm, all versions of ASP.NET must be the same in that farm, and the patch needs to be applied to all machines.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-now-available-through-windows-update

Monday, 27 September 2010

ASP.NET Crypto Exploit Patch Ships Tuesday, Sept. 28

Scott Guthrie noted on his blog that Microsoft will ship, on Tuesday, a hotfix for the ASP.NET cryptographic padding oracle exploit. It is to be released at 10 a.m. PDT; that’s 1 p.m. EDT / 17:00 GMT.

Guthrie says the patch has been fully tested and, once installed, removes the need for the previously published workarounds. As in, after you install this patch, you can turn off custom errors or use custom error files for specific errors.

Glad Microsoft worked this out so quickly. Don’t fail to get and apply this patch.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/asp-net-crypto-exploit-patch-ships-tuesday-sept-28

Friday, 24 September 2010

Microsoft Urges URLScan Implementation To Combat Crypto Vulnerability

In a further update on how to combat the ASP.NET CryptographicException hack, Microsoft is now urging webmasters to use the URLScan utility to further thwart oracle attempts.

In a blog post on Friday, Scott Guthrie, corporate vice president of .NET at Microsoft, said the step — which removes aspxerrorpath as an allowed querystring variable — “prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.”

URLScan is an Internet Information Server (IIS) extension. If you manage your own IIS server, you should follow the instructions at Guthrie’s blog post to download, install and configure the workaround.

If you are on shared or managed hosting, check with your Web host’s tech support department to see if they have implemented, or will implement, this step for you.

Again, this is a serious threat that is fully scripted, meaning any malcontent — including one with no practical programming skill — can exploit a site with widely available tools.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/microsoft-urges-urlscan-implementation-to-combat-crypto-vulnerability