Popularity has its drawbacks. As the iPhone and the Mac gain in popularity, hackers are starting to take notice.
Part of the reason for increased popularity of Macintosh computers is that Apple has made the machines friendlier to running programs popular on Windows-based machines.
Hackers experienced with attacking Windows programs can apply some of their know-how to software modified to run on Macintosh computers.
Developers that re-craft Windows programs for Macintosh systems might not be adept at building security components on the latest Leopard operating system used in Apple machines.
Windows developers take their code and make it work on Apple,” Hotchkies said. “They could take potential vulnerabilities with them or possibly create new ones because they are working on an entirely different platform.”
I haven’t heard about any zero-day exploits to the iPhone yet (as long as you don’t count jailbreaking), but I’m sure they’re on the way. Read the article here.
There’s been a couple interesting stories online today concerning security. A Russian group is accused of hijacking more than 100,000 computers for gathering personal data, and the TJX hackers have finally been charged as well.
The ID theft ring stole more than 40 million credit and debit card numbers, said Michael Sullivan, U.S. attorney for the District of Massachusetts. The criminals installed sophisticated “sniffer” programs on the retailers’ networks, allowing them to collect credit card and password information, he said during a press conference.
The defendants then used these cards to withdraw tens of thousands of dollars at a time from cash machines, the DOJ said. Gonzalez and others were allegedly able to conceal and launder their fraud proceeds by using anonymous Internet-based currencies and by channeling funds through bank accounts in Eastern Europe, the DOJ said.
Wow. Pretty devious. Read my earlier post about the TJX hacking here.
I might be aging myself a little here, but I’m sure we all remember the old Folgers commercials where the premium coffee is switched with the much maligned Folgers instant. Microsoft did something similar recently in San Francisco to some folks who held a negative view of Windows Vista. They asked 140 non-Vista consumers to try out a version of a new OS Microsoft is working on codenamed Mohave. Before the demo the average rating (1 to 10) for Vista was 4.4, and after the demo the rating for Mohave was 8.5. Unfortunately for all the haters, the fact is that Mohave is Vista.
It’s no big surprise to me. I’ve talked to plenty of people who have a negative opinion of Vista who have never used the OS. Then you’ve got the folks who have been using the same arguments recyled from the Windows XP days, and yet XP is now “the good old OS”. I don’t think you can discount the Apple switcher adds either. If you know me, you know that I’m not a Windows zealot. I’ve even been known to run Linux on one of my home PCs, but I don’t think the case has been made that XP is still a better bet than Vista. Especially now that Vista has been out for over a year and a half, and we’re not seeing the compatability issues that were experienced at its launch.
To me, a huge part of the problem with Vista is an image thing. The Apple marketing team does such a good job at marketing the Mac. They make it look like the cool kid everyone wants to hang around with, and Windows looks like some reject whose mom dresses him funny so he ends up writing a tech blog and never having any girlfriends or fun. But I digress.
The bottom line is that too many times conclusions are drawn without knowing all the facts. This is applicable to a wide range of topics (climate change, energy policy, beer selection), and it’s just as applicable to the Vista question.
SlickRun is an awesome floating command-line utility that gives you almost instant access to any application or website. At least that’s what the developer’s website claims, and I have to agree. The beauty of SlickRun is realized once you’ve begun to add your own Magic Words. For example, I created a wiki magic word where all I need to do is type wiki and a topic and press enter. Next thing you know Firefox loads (or a new tab opens) a Wikipedia page about the topic.
I know the source isn’t available, but it’s still free (as in beer, not speech). You can download it here. It’s definitely a useful utility.
Here’s a cool method for resizing a browser window using a simple shortcut in your bookmarks. This has been especially helpful since I can’t use Firebug at work (we’re forced to use IE6 – I know, it sucks), and the IE Developer toolbar always breaks on my work machine. How ghetto…
Here’s the link.
No, I’m not letting my freak flag fly or stating my admiration for Timothy Leary. I’m sharing my XM Radio experience. After being a loyal customer for more than 2 years, I recently cancelled my subscriptions on both of my radios. I actually should have cancelled them months ago because I all but stopped using the service. Ever since I got a radio transmitter for my iPod, the XM was relegated to a second class citizen. I can listen to all my podcasts and any of my music without having to put up with signal drop outs next to tall buildings or trees.
When I finally decided to drop the service, it was just about time for my subscription to be renewed. I tried numerous times to cancel online, but I was always given an canned message to the effect that site maintenance was being performed and that I should try again later. I finally called and told the customer service rep that I did not want my subscription to automatically renew. Well guess what. My credit card was billed for a year’s worth of subscription charges. So I had to call yet again and cancel.
I know what you’re thinking. “Come on Tim. But you can listen to XM on the web too.” Yeah, sort of. You can listen to the XM music channels, but forget about the sports or talk channels. They’re not available.
Just about the only thing I miss about the XM is the First Team on Fox with Steve Czaban on Fox Sports Radio. Now if they would only post their shows (sans commercials of course) so I can listen to them on my iPod.
I guess this is as much a pro iPod post as it is a negative XM post. As much as I detest Apple fan boys, I can’t help but attribute my cancellation of my satellite radio subscription to my iPod. Anyone want to buy a couple XM radios?
After being hacked (I think I was vulnerable because I hadn’t updated WordPress), I was forced to do a little cleanup around ScarTech.net. Part of the cleanup and upgrades include a nice new theme.
I’ll detail the hack in a later post.
The IsNullOrEmpty method was added to the String class in the 2.0 Framework, and it makes testing for an empty or null string as easy as a single function call. Instead of having to test the String object if it’s null then checking if it’s empty, this can now be done in one easy method call.
VB.NET
Dim s As String If String.IsNullOrEmpty(s) Then Console.WriteLine("String is null or empty.") Else Console.WriteLine(String.Format("String = {0}", s)) EndIf
This isn’t exactly an earth shattering discovery, but it’s useful nonetheless.
In the next installment of my security series, I’ll tackle SQL injection. In the true code reuse fashion, I’ll provide a couple links that do a great job of explaining some misconceptions about SQL injection and how to protect your application.
First here’s a link to a post on Glen Gordon’s blog about injection: http://blogs.msdn.com/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx. Glen includes a nice list of common mistakes when thinking about preventing injection attacks.
Next is a link from the MSDN magazine showing how to stop injection attacks: http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx
I know this was a lazy post, but cut me some slack. I’ve got a 2 month old baby and a new PS3. 
Cross site scripting can be a tough vulnerability to eliminate, but it doesn’t necessarily have to be. If you’re working on an ASP.NET project, the Microsoft Anti-XSS library is easy to use and freely available. Like a lot of developers, I’ve rolled my own anti-XSS by escaping specific characters, but it’s usually clunky and let’s face it. There are still bound to be vulnerabilities. The MS library can be used to encode HTML, HTML attributes, JavaScript, VBScript, as well as encode for XML and XML attributes.
Always encode data from untrusted inputs. Just a few examples include:
- Databases
- Form fields
- Session variables
- Query string
- Cookies
Using the library is very simple. Just add a reference to the dll to your project, and you’re ready to go. Here’s a quick and dirty code example encoding a value from the query string:
string Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
A good rule to live by is “When in doubt. Encode it.” Just don’t encode it twice.
You can download the library from Microsoft here.