Author Archive

Of Human Stupidity

June 02, 2013  |   Uncategorized   |     |   0 Comment

Of Human Stupidity For a number of years, I have felt that tech companies must be seriously lacking in acumen to take the policies they do with regard to their customers.   Yesterday I noticed however that it is not restricted to tech companies, and it makes an interesting study in human stupidity to see this in operation. So for example, a search for property management companies in the UK came up with this http://www.reviewcentre.com/reviews117367.html I have no personal knowledge of the company involved, or whether the reviews in question are in fact accurate,  but I find it inconceivable that any commercial entity would allow their customer service (or their marketing department) to be so egregiously bad as to have that kind of review show up in search engines.  I mean surely they must realize that in the modern world, potential customers are going to look for reviews – and that it is not going to be a positive thing if you have a consistent 1 star rating. But then I got to comparing it to the behaviour of tech companies – and I am afraid that three immediately jump to mind.  I used to administer Lotus (heard of them?) technologies.  At one point they had a massive chunk of ...

Windows Azure Backup

May 23, 2013  |   Uncategorized   |     |   0 Comment

Windows Azure Backup I just configured the preview version of Windows Azure Backup.  It is very nice looking and easy to use once you get it up and running - but the instructions to install it are difficult to find and a bit patchy. First you have to create a certificate for your vault.  You use a utility called makecert.exe which is part of the Windows SDK (the link in the documentation to TechNet doesn't work - so you can get it here. http://msdn.microsoft.com/en-US/windows/desktop/aa904949 For reasons that are not clear to me the utility doesn't seem to be available as a standalone - but downloading just the tools part of the SDK contains it. Then the documentation that actually works is here (there are several wrong versions in different places dotted across their sites). http://msdn.microsoft.com/en-us/library/windowsazure/dn169036.aspx The key thing is to follow the instructions exactly - you need both the .cer file and the .pfx file (the public and private keys). Once you have followed all the instructions and configured your vault you can go ahead with the local software install.  If you have had the Beta version of the agent installed, you need to uninstall it and then install the new one.  Once the software is installed and ...

“Performing a DIY Security Review” Workshop at BSides London

May 06, 2013  |   Uncategorized   |     |   0 Comment

“Performing a DIY Security Review” Workshop at BSides London We had a great time doing our workshop at BSides London recently.  In fact we had a great time in general - the conference was lots of fun. This was the first long(ish) workshop I had ever prepared for a conference, and I was surprised at how much work was involved in it (compared to an ordinary presentation).  We not only had to create the presentation, but build the infrastructure, create Kali builds on USB sticks, set up the demos, prepare a worksheet for the participants and prepare the two 'test reports' I had promised in the description of the workshop.  Then we had to test, test, test in an attempt to appease the dark god of demos! We were coming down from Scotland to London for the event and quickly discovered a major drawback - we had a lot of kit....   We needed two PC laptops to be the Nessus Servers and host the vms for the demos.  We also had a Surface Pro for running the demo, a Surface RT (just for kicks) and a MacBook Air to run Rory's presentation.  Add in a switch and cables (because we didn't like the idea of trying to run eight sets of Nessus ...

Three Lines

March 24, 2013  |   Uncategorized   |     |   0 Comment

Three Lines We've decided that the results/recommendations coming out of most of the Internal Security Reviews we do can be summarised in three lines. a)  Patch everything.  Not just Windows - everything. b)  Change default credentials.  Don't leave your main router with creds of admin/admin c) Get rid of clear text protocols.  Ditch telnet for SSH and ftp for sftp It doesn't require Ninjas, Red Teams or Zero days to compromise most organisations, given access to their internal networks.  In fact why bother with anything fancy, when the most basic of techniques uncovers such glaring faults.    

Workshop at BSides London

March 19, 2013  |   Uncategorized   |     |   0 Comment

Workshop at BSides London As well as Rory's talk on pentest automation at BSides London - we will both be doing a workshop "Performing a DIY Security Review".  It is aimed at IT Professionals and shows the basics of how to prepare for a Security Review ("pentest").  This is something that is dear to our hearts because writing about SSLv2 over and over again is not something which either excites us greatly, or provides a great deal of value to customers.  We think people should do a preparatory review themselves and let the tester concentrate on the specialized stuff - giving better value for money and a shorter, more focused report. http://www.securitybsides.org.uk/workshops.html So the workshop is all about using free or low cost tools to look at a network and remove glaring faults from it prior to having a test done.  We don't cover web application testing - but if this one proves of interest we may do something along those lines in the future. I'll post the slides and documentation here after the event.    

Review of Surface Pro

March 12, 2013  |   Uncategorized   |     |   1 Comment

Review of Surface Pro I just got my Surface Pro a few days ago – albeit I had to import it from US with the help of a friend over there.  I’ve not had it for long so these are initial impressions I will add to later, but so far I am very pleased with it and think it is going to greatly appeal to businesses over here when it is released in UK (I hope Microsoft are reading this….). As I mentioned in an earlier posting, I have been using Windows 8 on touch devices since it came out, first on an Iconia W500 tablet I upgraded from Win 7 myself, then RT on the Surface since Sept 2012 – so this is really a comparison between the Surface Pro and what has gone before. Hardware The first thing you notice when you are an RT user and take the Pro out of the box is that it is a fair bit heavier and thicker than the earlier device.  I suspect, however, that you would not realize this if you hadn’t been a heavy user of the other one.  It weighs in at 900 grams which is just enough more than the 680 grams of the ...

Request Validation in ASP.NET

February 10, 2013  |   Uncategorized   |     |   0 Comment

Request Validation in ASP.NET We test a lot of ASP.NET web applications.  On about 40% of them, we notice when testing for cross-site scripting that the only thing protecting against it is the framework's own Request Validation.  In other words, when you enter a basic XSS vector - you get a Yellow Screen warning that your input has been blocked as potentially dangerous. This is all very well in its way - but for years we have been putting in our reports that relying on it is bad practice because it is a pretty crude control mechanism.  Firstly, it is pretty ugly and makes you think right from the start that the developer hasn't put much TLC into his product, and secondly and more importantly, Microsoft themselves do not recommend it as a substitute for a proper input validation method created within the application itself, as there is no way that the designers of the framework can predict what type of content an individual application will need to accept in a given field. So now there are XSS vectors that get round this - for example http://www.vulnerablesite.com/login.aspx?param=<%tag style="xss:expression(alert(123))" > MS have said that they are not going to fix it - which seems justifiable as they never recommended ...

Old Browsers

January 20, 2013  |   Uncategorized   |     |   0 Comment

Old Browsers I am so sad - but while I had the old versions of Operating Systems fired up for my previous post - I couldn't resist having a look at some modern websites with the default browser that came with them. Specifically I looked at IE2 (NT 4), IE5 Windows 2000) and Netscape Communicator 4.76 As might have been expected - IE2 didn't really work at all.  www.bbc.co.uk seemed to start loading up JavaScript and then did nothing as did www.google.com.  www.wikipedia.org and www.scotsts.com generated JavaScript errors but then showed a minimalist version of the page - as did www.microsoft.com.  The only site that actually worked properly was our old friend www.armory.com which says it is best viewed in 'any browser' and does what it says on the tin.  Netscape was about the same although it did make an attempt at Google's site.   Microsoft's site just crashed the browser. IE5 was a bit of a better story.  All the sites I originally tried actually loaded up.   I turned JavaScript error reporting off and all the pages I originally tried either work or sort of work.  By which I mean that a lot of them will load and are usable ...

O/S Boot Times

January 20, 2013  |   Uncategorized   |     |   0 Comment

O/S Boot Times We got a new Lenovo T430U yesterday and with its new SSD we discovered it boots from the BIOS to Windows 8 in three seconds. I remember corporate machines back in the 90s taking 20 minutes to boot - so I got to thinking - is the improvement the modern hardware or the modern OS - or a combination of the two. So in the interests of scientific enquiry I gave it a go and got the following results - all using VMware workstation on a Intel Core -5 CPU with 16G RAM.  I deliberately did not use VMware tools for any of them because they are not available for the older operating systems and do tend to speed things up.  I also compared this with Windows RT on my little Surface with its ARM processor and 2GB RAM, and also with the iPad, the Xbox and two different phones.   Windows 7 Professional - 20 seconds Windows NT 4 Workstation - 18 seconds Windows Server 2000 - 22 seconds Windows 8 Enterprise - 6 seconds for a full restart or 4 seconds from the 'shutdown' state which is really a sort of suspend to disk. Ubuntu Linux was very slightly longer than Windows 8 at about 7 ...

Review of the Surface RT

January 17, 2013  |   Uncategorized   |     |   0 Comment

Review of the Surface RT I bought the Surface RT back in November as a replacement for the Iconia W500 Tablet I reviewed on this site previously.  Having had it for a few months now - I thought it would be about time for a review.  I've read some shocking rubbish about the Surface specifically and Windows 8 in general - so I'd like to put the record straight as probably one of the few people who have been using a Windows 8 tablet since inception (I installed the Consumer Preview the day it came out)   Hardware With a couple of minor niggles, the hardware on this device is first class.  Everything about it screams quality and attention to detail from the casing to the kickstand to the screen itself.  I recently had the opportunity to demonstrate the Surface to a number of people at a conference, and the general consensus  was that the screen was butter smooth and the keyboard pretty good to type with (not as good as a full-on PC keyboard - but excellent for something only a couple of millimetres thick).  With the Iconia I used to have - the screen was sluggish compared to the iPad; with the Surface it is possibly even ...

« Previous Entries

Latest News

  • Of Human Stupidity
    For a number of years, I have felt that tech companies must be seriously lacking in acumen to take the policies they do with regard to their customers.   Yesterday I ...
  • Windows Azure Backup
    I just configured the preview version of Windows Azure Backup.  It is very nice looking and easy to use once you get it up and running - but the instructions ...