Monday, December 29, 2003

The Remediator Security Digest: The Weakest Link: Social Engineering

Via Meryl's blog I arrived at
The Remediator Security Digest: The Weakest Link: Social Engineering
A good read on Social Engineering.
It amazes me how many people, also at my company, still really don't want to know anything about the need for keeping passwords secure. Two cases I encountered recently are:
  • a user handing, while being at home, her password to a college at work, who needed something from her computer (we have a one user - one computer policy). It took some effort to explain why they shouldn't do something like this.

  • someone just shouting his password through the room to me, when I needed (as an admin) needed access to his computer (where he was logged on to, and had it locked, which was good). After I said something like ".. and I don't want to know your passw...".

Which reminds me: have to walk around the office to look for post-it memo's on which passwords are scribbled

Calling Stored Procedures from ASP pages

I'm working on a homegrown web application with which our employees are able to both add and update some parts of our external webserver. Keywords: Intranet, SQL Server, ASP, Stored Procedure.
A SP is considered the best (most safe, flexible) way to to things to a SQL Server database. But, as far as I can see, the only way to use Stored Proc's using VBScript is a very tedious task:

you build a connectionstring (well, you'll always need a connection to your database, so I won't count this one),
spCMD.CommandText ' specify the sp
spCMD.CommandType = adCmdStoredProc 'say it's a sp
spCMD.Parameters.Append cmd.CreateParameter("@yourvar1",adInteger ,adParamInput )
spCMD.Parameters.Append cmd.CreateParameter("@yourvar2",adInteger ,adParamInput )
spCMD.Parameters.Append cmd.CreateParameter("@yourvar3",adInteger ,adParamInput
cmd.Parameters("@yourvar1") = yourvar1
cmd.Parameters("@yourvar1") = yourvar2
cmd.Parameters("@yourvar1") = yourvar3
' etc, where variables yourvar1, 2, 3... are user input (sanitized of course, to prevent SQL Injection)
spCMD.CommandTimeout = 0
spCMD.Execute ' well, execute it

you could do a spCMD.Parameters.Refresh instead, but this seems to put a load on the server. Still, I'm considering this one, because it is so much easier to code.
UPDATE: I found this site explaining a bit more on the so-called Prepared (like the example above) and Unprepared Commands. Comes in handy. However, you still have the big problem of having to change SQL code right in the middle of you asp file, in case the stored proc changes. Be it changing the variable name in the case of Prepared Commands, or the order / number of Parameters in the Unprepared Commands. I don't find this very useful, and it certainly is not really seperating the Business Layer from the Presentation Layer. And that is something you'd want to accomplish by using SP's, I'd reckon.

Tips from Evolt

Tip Harvester at Evolt

Found this while on the Evolt site: tips in multiple categories, from Cascading Style Sheets to SQL code

Monday, December 22, 2003

TODO: really return 404 errors on "page not found"

On my company websites I have a script generate custom error messages in case pages cannot be found. This way, would someone be tampering with the site - and they do of course although mostly in a complete harmless way, thanks to our security measures - I would immediately be notified. This way, I at least know something is terribly wrong the moment it happens. The only problem is, to have IIS email you this way, you need a customized script (ASP) page which is called instead of the ordinary 404. I'm not able to place the script in the ordinary location for error messages. Therefore it resides somewhere in the IIS directories. Now, comes a spider along requesting for old outdated pages, it gets a "200 OK", and no 404, as the error page exists. I want to change this, so I figure I have to modify the script to have it automatically return a 404. I guess it doesn't take a lot of time - say: about the time writing this entry :) - the only problem is, it was one of many things on my TODO list. This morning arriving at work, I felt today would be the day. I'm going to solve this one :)

Thursday, December 11, 2003

Time to go home

You know it's time to go home when:
  • you reading a text on a piece of paper in front of you, and when you're halfway you get your mouse to scroll down. Only to realise that that doesn't really have the effect you anticipated

  • Friday, December 05, 2003

    Security flaws found in US e-vote machines

    Security flaws found in US e-vote machines

    This is something I worte about before. It really interests me why one should want to use DRE systems which are undoubtedly, ehh, I mean not 100% safe, to have elections in which *everything* is based on thrustworthiness. What stroke me the most in the article however, is the Diebold machine makes use of an MS Access database to store its results in. Can you believe it? Access is fine for the use it is intended for, but for voting machines???
    Disclaimer: we use MS Access as a front end to our database system, which works like a spark. However, the data is stored on SQL Server, which is much more reliable and robust. Imagine a database corruption after the last person has voted at the end of election day??? I would even think that maybe storing the results in a text file on an encrypted FileSystem is more secure and safe than storing it in Access. Or am I missing a point here??