Hotmail accounts hacked for sending iPhone spam

Tuesday, 29 September 2009

I've had a few family and friends now who have apparently had their hotmail email accounts hacked for the purpose of sending spam to all the people in their contacts (including me!)

The spam (who's grammar should make it obviously not from the original sender) takes the form of

hi,
how are you?
recently, I got a nice site: www.nottheoriginalsite.com
I brought some items from them. Wow, it is very nice.
low price and good quality (iphone new model 3GS 16 GB only 385 euro)
they also sell Wii, DJ, TV, laptop,camera and so on.
how do you think? login and have a look at it!
yours truly,

As best I can tell, they've done this either via guessing passwords or maybe via some kind of phishing attack. One reason for this belief is that for one incident I saw, the spam was saved in the sender's "Sent Items" folder, just like other regular email that they had sent.

If you have a hotmail account, I'd strongly recommend you ensure your password is long enough to be extremely difficult to guess. A passphrase instead of just a password is probably the best way to do this.

Why Websense is stupid (and I told them so)

Tuesday, 22 September 2009

One of the vendors who happened to be exhibiting at TechEd Australia this year was a company called Websense.

They were giving away T-shirts, so it was only after I had received my free shirt from them that I then proceeded to tell them how stupid and horrible their software was.

This seem to take the Websense staff a bit by surprise and they tried to defend their product assuring me with words to the effect that their software was wonderful and couldn't possibly be faulty and had the "largest database". Well let me assure you "quantity" definitely does not equate to "quality", and it may be no coincidence that their company name rhymes with "nonsense" :-)

Don't believe me? Well take a look at this example:

Try and browse http://www.opensource.org/licenses/bsd-license.html through Websense and you are greeted with this response:

Reason:

The Websense category "Entertainment" is filtered.

 

URL:

http://www.opensource.org/licenses/bsd-license.html

Presumably the legal department must have a fair bit of influence at Websense, Inc. as I don't think anyone else would consider reading software licenses 'Entertainment'.

It just goes to reinforce the enhancement Mitch Denny made in his Software Development Pitfalls talk to point 5 of Jeff Attwood's Programmer's Bill of Rights :

Every programmer shall have a fast, unfiltered internet connection

Ah, we can but dream.

BinScope and MiniFuzz

Thursday, 17 September 2009

Following on from seeing Michael Howard at TechEd last week, here's a couple of new tools to help with analysing your applications for security issues.

"BinScope is a verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations"

"MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviours"

Tech-Ed 2009 – Friday

Sunday, 13 September 2009

Highlights

2008 R2 Virtualisation with Ben Armstrong

.NET 4 Parallel Extensions with Corneliu Tusnea

Big Algorithms in F# with Joel Pobar

Mobile Smackdown

This was bizarre and quite crazy in a mostly good way. Because I'd won a token from the WCF talk, I got get a front-row (well second to front) seat and got a pile of goodies on my seat.

The basic rule of the smackdown was that anytime a demo failed assorted pieces of "swag" would be thrown into the audience.. Hence the audience were keen to see things fail!

Quite a few new Windows Mobile phones, headsets, mice and other nice prizes were given way.

I was also pleased to see that this year, no cat food was involved in any of the competitions (unlike the session from last year)

Final thoughts

So did I get my money's worth? Yes, I think so. I felt I learned or was exposed to new things in almost every session I attended. It was also great to catch up with lots of friends and familiar faces.

While the Gold Coast isn't the most convenient venue to get to from Adelaide, I do think the convention centre does an excellent job looking after and catering for everyone. No complaints about the food!

The HP Mini 2140 netbook is really nice. I think it was quite innovative to allow all delegates to be able to participate in the conference in an online fashion. Wireless network access at the convention centre worked pretty well considering how many concurrent users it had to cope with. Depending on which way the wind blew, I could sometime connect even when I returned to my motel room (which was just across the road). I've given my netbook to Narelle and I think she's pretty impressed already.

Maybe I missed them in the crowd, but I wonder if the days of UniSA sending >10 delegates are over as I didn't bump into any old colleagues this year. It did feel different not having Gary, Dat, Mark around or bumping into familiar faces from IT.

Finally I do especially appreciate the sacrifice my family made (both in my time away from home and financially) to allow me to attend.

Tech-Ed 2009 – Thursday

Sunday, 13 September 2009

I woke up Thursday morning feeling pretty good, until I sneezed.

Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.

Highlights

Software Development Pitfalls with Mitch Denny

What's new in .NET 4 and VS 2010 with Adam Cogan

Visual Studio 2010

C#

VB

ASP.NET

SDL with Michael Howard

SDL Goals:

 

  1. Strong signing and ACPTA
  2. Secure Crypto
    1. configurable algorithms (use a factory class)
    2. Use standard libraries
    3. Use appropriate algorithms
  3. Firewall
  4. Threat models
  5. Support UAC
  6. Granular feature control
  7. Grant minimal privileges (drop privileges on service startup)
  8. Use minimum code gen suite (eg. latest compiler)
  9. Use /GS
  10. Use Safe Exception Handling
  11. MIDL
  12. Use ASLR
  13. Use DEP
  14. Defect heap corruption
  15. No writable PE segments
  16. Don't use banned APIs
  17. Encode long-lived pointers
  18. Use FxCop
  19. Use /analyze
  20. Use SAL
  21. Use /W4
  22. Native code XML Parsers
  23. XSS
  24. Safe tags without attributes
  25. Use ViewStateUserKey
  26. Don't use JavaScript eval()
  27. Safe redirects
  28. SQL execute only
  29. Use parameterised queries
  30. Use stored procedures
  31. Don't depend on NTLM
  32. Don't swallow all exceptions (rethrowing is ok though)
  33. Safe error messages
  34. Fuzz testing
  35. Application Verifier
  36. Device drivers

Security for Developers with Michael Howard

WCF Scaling with Chris Hewitt

Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I'm not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia's biggest online retailer, which I'd never heard of until a few months ago).