Erik Oppedijk

Encrypt your USB devices, using Bitlocker To Go

Erik Oppedijk — Thu, 17 Dec 2009 10:53:00 GMT

Why don't we encrypt our USB disks and USB harddisks? Well, most people think it's difficult, so lets dive into some details encrypting your drives with Bitlocker To Go in Windows 7.

So we want to protect the data on our USB devices, so in the event that we lose a device (or when it is stolen) the information is unavailable to other people. Note however that it's still possible to format the USB drive, only the information is encrypted, but our goal is achieved, nobody can access the data.

Use FAT32 for older systems
If we want to access our Bitlocked data from older (non Windows 7 systems), then make sure the USB drive is formatted as FAT32 !!! All drives with formatted with NTFS won't have the Bitlocker to go reader, so you'll be unable to access your content(read only)! Only with the FAT32 filesystem a seperate partition is created with the reader application installed on it. NTFS drives will prompt the user to FORMAT the drive, so watch out with this!

Getting started
Just right click your device, and choose: Turn on Bitlocker...

Enter a password, save the recovery key to another drive and now just wait.... quite some time before the complete device is encrypted. This can take up to a few hours for larger devices. For unlocking the device with a smart card, the certificate on the smartcard needs to have the right (Extended) Key Usage mentioned. See this article for more information: http://blogs.technet.com/deploymentguys/archive/2009/06/17/windows-7-and-bitlocker-cmd-line.aspx

And for how to remove Bitlocker from a drive: http://blog.unlockforus.org/2009/05/how-to-remove-bitlocker-encryption-in.html

Just ask yourself these questions: Where are all your USB devices at this moment, did you loose some? Who has access to your devices. Did you ever forget your USB disk in the train/subway/bus/internet cafe? Did one of your coworkers lose anything lately? Any events in the news where a bank, military or government worker lost a USB drive?

CISF and Application Portfolio Management

Erik Oppedijk — Wed, 16 Sep 2009 14:05:00 GMT

Microsoft is busy building a Security Infrastructure (or Portal) and is building the Connected Information Security Framework (CISF), a project by Mark Curphey, from the OWASP project.

The goal for CISF is to combine all Security related information into a central location, with the focus on building blocks and customization. So CISF will become a Portal, with "Widgets" for presenting the various pieces of security information. Combine this with some analytics (BI), Workflow, tasks, risks assets, authorization and notifications. This is all being build on .NET 3.5 with WF, and there are even plans to incorporate "Geneva".

The first CTP delivers a subset of the planned features and starts with the Authorization and Application Portfolio Management (APM).

In here we can define our "Risk Impact Assessment", which is a list of questions combined with a scoring system for each answer. Every application will need to complete this assessment which will result in a score. For each range of scores we can assign tasks to be executed in the various software development stages (like design in the above picture). The whole process is monitored by task status fields.

The general framework used here is very nice, it's very easy (and even intended) to create/add custom questions, add users to the system, change properties, questions and score ranges.

Installation was pretty straightforward, first install the database (on a SQL 2008 instance) and then extract the website, and change the connection strings, just read the documentation included!

For more information on CISF and building widgets, read the following articles:

Creating a redistributable CISF Portal Widget
Create a Bing Widget for the CISF Security Portal
Understanding CISF Portal Widget Framework
An Introduction to the Connected Information Security Platform or CISF

ASP.NET Vulnerability testing with CAT.NET

Erik Oppedijk — Wed, 26 Aug 2009 14:59:00 GMT

CAT.NET is an add-on for Visual Studio to analyze Web Applications projects (sorry, Web Site projects are not supported) for common security flaws.

So lets start a fresh site and look for some potential security risks with CAT.NET. Everyone knows that when we echo the input from a TextBox into a Label we are vulnerable to attacks, but what about dropdowns? Lets make a page with a DropDown with several values, a Label and a Button. In the Button_Click event we copy the DropDownList1.SelectedItem.Value to the Label1.Text.

Now start CAT.NET (from Visual Studio, Tools), and run an analysis on this project:

We have 1 XSS scripting error, because even though the user can only select a value from the dropdown and submit it, an evil user can open up his favorite hacking tool (e.g. Fiddler) and modify the data that's being submitted. Lucky for us, ASP.NET will stop most of these attacks for us, by filtering on HTML tags, and unicode attacks, but it is always a good practice to encode all output. Encode using the Anti-XSS library, because this does a better job than the regular HttpUtility.HtmlEncode().

However, what if the data is used in for example a LDAP query? Take a look at this LDAP example. CAT.NET will catch this and mark it as an LDAP injection attack. Because in a LDAP attack, the attacker can use normal symbols like: " ( * ) cn=" which are allowed by the ASP.NET ValidateRequest mechanism.

We can control which checks occur, CAT.NET supports the following checks:

Process Command Execution
File Canonicalization
Exception information
LDAP injection
XPATH injection
SQL injection
Redirection to user controlled site
Cross site scripting

CAT.NET tries to detect as much as possible, but for example will not detect bad data coming from databases.

Get the V1 CTP 32bit version here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
and for the 64 bit look here: http://www.microsoft.com/downloads/details.aspx?FamilyId=e0052bba-2d50-4214-b65b-37e5ef44f146&displaylang=en

Stay tuned for a new release from microsoft, the Web Protection Library. This library is intended to protect EXISTING applications, and will filter incoming and outgoing request to prevent attacks!

Cross-Site Request Forgeries (CSRF) explained

Erik Oppedijk — Wed, 22 Jul 2009 13:45:00 GMT

The Cross-Site Request Forgery is a relatively unknown and misunderstood attack, often mixed up with the Cross-Site Scripting (XSS) attack.

The biggest difference is the server where the malicious code is hosted. With a XSS attack, that code is injected in the trustedsite you are visiting (e.g. a Forum site, or any other site you trust and sign on to) and tries to steal information by sending it to another location:

With the CSRF the scenario is reversed, a user is tricked to a specially crafted URL (either from a compromised site, or in an email message) which executes on the trusted site.

For instance, the trusted site has a voting mechanism, http://www.mytrustedwebsite.com/vote?123 and the compromised site has a page with an image tag with the same address, everyone going there is downloading/clicking it (or use some javascript or a hidden frame) and will enter a vote.
Nothing really bad can happen here, right? But what if the trustedsite has a delete URL, or a "transfer money" option. The bad thing here is that the attacker can use any open session on the trusted site, and use the credentials of that user. So always sign out when you're done at a site!

Of course this problem seems to involve a GET request, but it can also be done with POST requests, so be aware of this.

Some ways to mitigate this is to only accept POST request, check the referer property of the browser(not always available in all browsers) and add a special unique token/cookie to every request to make sure the visitor really was a visitor at that moment at the trusted site.

The forgotten ASP.NET Security switches and settings

Erik Oppedijk — Mon, 04 May 2009 13:34:00 GMT

Retail switch

One of the security flaws I encounter in a lot of application/web server in production is the ASP.NET error message with all the detailed information in there:

Which tells a potential hacker you are running ASP.NET, the version of ASP.NET is also published and even the path on the filesystem is in there. Also it tells the user too much information, and in 1 case the test team was expecting this and used these screens to validate an application.

We can avoid this with a single line in our machine.config file in the system.web block:

1	<deployment retail="true" />

This SHOULD be the default in every production server you encounter!
It effectively disables remote detailed error messages, forces the compiler to ignore the "debug" compilation settings, and enables caching for all WebResources.axd calls.

The root cause for this problem is that a "development" web.config file(with remote errors enables) is copied into the production environment. The retail switch protects us against this, but be sure to check your config files for other errors as well.

ViewStateUserKey

To protect POST request to our ASP.NET applications we can use the ViewStateUserKey (dont turn off ViewState MAC) to enable the viewstate to contain a unique value per user. This will help mitigate against a CSRF (Cross-Site Request Forgery) attack. This won't help against GET request, because there is no viewstate in there, so keep protecting these.

The code is very simple:

void Page_Init(object sender, EventArgs e) 
{ 
    ViewStateUserKey = Session.SessionID;
}

URL Security flaw - or not?

Erik Oppedijk — Thu, 02 Apr 2009 08:10:00 GMT

In this post I want to focus on a common security flaw, the URL.

So let's start with an example:

1	http://www.infosupport.com/getProduct.aspx?ProductID=123

Nothing wrong, a customer can manually change this URL to go to another page to view another product.

1	http://www.infosupport.com/getCustomer.aspx?CustomerID=456

Potentially wrong, because a customer can look into the account of another customer.

So for an anonymous sites with public information there is no problem, but whenever we have private information, we need to authorize the user, otherwise we run a very big risk in information disclosure.

Ways NOT to solve this:

Move the CustomerID to a Cookie
Move the CustomerID to a hidden field / Viewstate
Obfuscate the URL with some random numbers
Use a custom encryption mechanism
Use logging/tracking to keep track of unauthorized requests

So how do we solve this problem? We need to apply authorization, so we can make sure that the current authenticated users have the right role to view the information. The best way to do this is to add authorization checks to your Business Layer, Data Access Layer or in the Database itself.
With the advance of the RIA applications (Ajax, Silverlight, Flex, Air) the need for this is even greater, the UI will do some role filtering, but we ALWAYS need to check this in our web services layer/backend systems! Also we could apply logging, but this will only help us after an attack to determine the information being disclosed.

The advantage of still using the URL with private information is that an authenticated user can still bookmark the page with the URL, the user can even forward the url to another person, who can only view the information when properly authorized. The URL isn't the problem here, just an innocent victim of improper authorization.

During most security reviews I've done lately I found this flaw. Most of the time the site started out as a public site, and later authentication was added, together with the private data. So be aware of this for the future!

CCR and DSS Toolkit released

Erik Oppedijk — Wed, 29 Oct 2008 14:45:00 GMT

Microsoft released a separate toolkit for using the CCR and DSS framework inside your own applications, enabling Concurrent programming inside your regular C# (or VB.NET) application. And managing a directory of services with the DSS framework. So there is no need anymore for using Robotics Studio for these environments.

http://www.microsoft.com/ccrdss/

Get the whitepaper here:

http://download.microsoft.com/download/5/6/b/56b49917-65e8-494a-bb8c-3d49850daac1/Microsoft%20CCR%20and%20DSS%20Toolkit%202008%20Standard%20Edition%20Datasheet%20EN.pdf

Also read the stories from Siemens and Tyco, Siemens uses the CCR to scan mail (not email) and OCR the results and Tyco using the CCR for a security system. Both with great numbers of messages.

"hosted" BizTalk Workflow Services

Erik Oppedijk — Wed, 16 Jul 2008 10:40:00 GMT

The BizTalk Labs have delivered a new part, a hosted Workflow Service, now it is possible to create a workflow and host it in the "cloud". we can use the ISB (Internet Service Bus, instead of Enterprise) to send messages across the internet. Combine this with authentication and authorization and we have a powerfull orchestrator.

Get the BizTalk Services SDK, it will contain a "watchdog" sample workflow, this workflow will ping a website, and will report the status to a chat client (MultiCastSample). To create this, there are some new Activities to use from the Toolbox, e.g. a CloudDelay, a CloudIfElse, etc.

From the workflow.biztalk.net site (after creating some InfoCards for authentication) we can create our own Workflow (by copying the XOML and rules from Visual Studio) into the site. This is our workflowtype, and in the UI from the BizTalk Labs, we can create an instance of our workflow, and we can start the instance. Now the workflow is checking the site every 30 seconds, and sending messages to the Chat client

Finally we can start the client.

So this sample allows us to subscribe to (chat) messages coming from the "cloud" and we've started a WF process, which sends messages to our cloud. So the whole proces of Orchestrating service calls, authentication and authorization, connecting through firewalls are all done by the BizTalk Services SDK.

Don't forget to suspend the workflow, it will keep on running...

ASP.NET and Concurrency

Erik Oppedijk — Fri, 13 Jun 2008 11:39:00 GMT

Paul Roberts wrote a nice article [1] about using the CCR (Concurrency and Coordination Runtime) together with ASP.NET, to start multiple task concurrently. The CCR will handle the thread pool for us.

The CCR is now still a part of Robotics Studio, but there are some rumors this will be part of the .Net Framework. After implementing some helper CCR functions in our base class, we can start using the async model by spawning some tasks:

protected void Page_Load(object sender, EventArgs e)
{
    ...
    int count = 10;
    for (int i = 0; i < count; i++)
    {
        SpawnIterator("http://wwww.microsoft.com", resultPort, DownloadUrl);
    }
    ....
}

IEnumerator<ITask> DownloadUrl(string url, SuccessFailurePort resultPort)
{
// Async processing to download from url.
System.Threading.Thread.Sleep(2000);

resultPort.Post(new SuccessResult());
yield break;
}

The CCR will take care of all the async responses (using Ports). So to speed this up, we can control the amount of threads in the CCR thread pool in our global.asax:

protected void Application_Start(object sender, EventArgs e)
{
Initialize(4);
}

Read the complete article for all the helper classes we need to get this working.

[1] http://blogs.msdn.com/pollrobots/archive/2008/06/09/using-ccr-with-asp-net.aspx

DevDays 2008 - Robotics Geek Night

Erik Oppedijk — Fri, 23 May 2008 09:32:00 GMT

Yesterday we (Raimond, Marcel and me) gave a presentation during the DevDays Geek Night. The room was packed with about 200 enthusiastic geeks! We talked about Robotics in general, the new Robotics Studio 2.0 beta, the RoboChamps robotic competition and also on the design of our robot "Woody". Finally a real life demonstration of Woody driving around on the podium and grabbing some colored balls.

Get the Woody PPTX file, and also check out these links with video's we've used during our talk:

the AMAZED RoboChamps web site
Robochallenge 2007 video impression
NAO Robocup 2008 Soccer robot

BizTalk 2006 R3 announced

Erik Oppedijk — Wed, 23 Apr 2008 09:01:00 GMT

Microsoft announced a new release for BizTalk, and it's an R3 release.

Major investments for this release will be Visual Studio 2008, Windows Server 2008 and SQL Server 2008 support, alongside with a new service registry based on UDDI, updated support for SWIFT, EDI, RFID. and a bunch of SOA best practices. So consider this as a minor update.

The proposed release date of H1 CY09 means that the new BizTalk Oslo features/version will still take a long time to reach us, so we'll have to wait for integrated WF support.

Also a new Host Integration Server 8 is announced, together with the "BizTalk Adapter Pack 2". Sign up for the TAP on the microsoft connect site.

BizTalk 2006 R2 Deep Dive - 19th may

Erik Oppedijk — Fri, 18 Apr 2008 08:01:00 GMT

We'll be delivering the Quicklearn BizTalk 2006 R2 Developer Deep Dive from may 19 till may 23 in our location in Utrecht.

So, are you an experienced BizTalk developer, and are you interested in all the details of BizTalk 2006 R2 then this is the course for you!

Topics included:

Advanced Pipeline development
BizTalk RFID
Schema Extensions
Detailed Business Rule Engine (BRE)
The new R2 EDI features
plus much more

For the full description, have a look at our website

RoboChallenge 2008 Kickoff

Erik Oppedijk — Fri, 09 Nov 2007 09:23:00 GMT

Next week, on friday the 16th of november at 15:00, we'll be hosting the kickoff for the annual RoboChallenge contest at our location in Veenendaal.

The RoboChallenge is a nice contest open to everyone, the purpose is to build a robot, and program it to drive around and collect colored objects. Take a look at the RoboChallenge site.

If you are interested in Robotics and this competition, drop me an email and join us at the kickoff next week, it would be nice to see more competitors from commercial companies!

Another BizTalk User Group meeting

Erik Oppedijk — Thu, 25 Oct 2007 11:42:00 GMT

On Friday November the 9th there will be a new BTUG meeting. Main topic is BizTalk 2006 R2, with a session from Sudir Hasbe, the Microsoft Corp Product Manager for BizTalk. He will be presenting on the integration between BizTalk 2006 R2 and the RFID functionality.

Take a look at the BTUG site for more information and the registration page.

Ensim 3.2 SDK Training

Erik Oppedijk — Tue, 28 Aug 2007 15:31:00 GMT

Last week I followed an Ensim 3.2 SDK Training, together with Edward, Vincent and some of my Belgian Colleagues.

(for those who don't know Ensim, they have a product for provisioning Hosted Exchange, IIS, SQL and WSS, which we happen to use for our hosting services)

We had a nice time, learning a lot on the SDK, and now it's up to my Belgian colleagues to build a Service Manager for MS CRM 3.0 as a plugin for the Ensim product.

Overall I was quite impressed with the SDK, a lot of extensions are possible when you write your own Service, including upgrades, hotfixes and internationalization. Also the framework to create the user interfaces is very nice, they've made some very nice controls to create a consistent UI and some advanced grids.