Security Issues

Silverlight Isolated Storage Paths on Windows and MacOS

Frank La Vigne — Sat, 16 Jan 2010 00:52:00 GMT

Sure, it’s easy to find out where Isolated Storage files in Silverlight can be found on disk for Windows.

But what about on the Mac? It’s surprisingly hard to find.

Thankfully, with a bit of searching, I came across this article.

For future reference and to make this easier to find for others, here are all the default paths on the various platforms that Silverlight supports*.

Platform	Path on Disk
Windows 7 and Windows Vista	%userprofile%\AppData\LocalLow\Microsoft\Silverlight\is
Windows XP	%userprofile%\Local Settings\Application Data\Microsoft\Silverlight\is
MacOS	/Users/<user>/Library/Application/Support/Microsoft/Silverlight/is

Why, you ask?

This came up in writing my Silverlight book. I wanted to show developers that storing sensitive data unencrypted in Isolated Storage was a cosmically bad idea. Developers that don’t take security issues seriously need to be shown that, with a little bit of searching, this data can be dug up in its raw format and read.

For those that ignore the real dangers, I wanted a concrete example of how they can poke around their hard drive and how easy it is to do. Hopefully, they’ll get the message.

* – Conspicuously absent is Linux. But this information is even harder to find. Keep in mind that the Moonlight project is about a version behind. Moonlight 2, which I believe has feature-set parity with Silverlight 2, was released December 17, 2009.

Technorati Tags: Silverlight,Isolated Storage,Mac

LOLs to help you with Security Awareness

Frank La Vigne — Tue, 04 Aug 2009 10:37:00 GMT

Here are some LOL’s I created a while back for a contest on security awareness.

Technorati Tags: LOLCat,LOLDog,Security

Fake CNN Alerts Get Funny

Frank — Wed, 13 Aug 2008 21:02:00 GMT

These fake CNN alerts are annoying.

They're starting to clog my inbox and I can't help but wonder how many people have installed malware thanks to them.

But, this one made me laugh.

Technorati Tags: CNN Alerts,Fake CNN Alerts,Humor

Office Diagnostics

Frank — Tue, 29 Jul 2008 00:05:00 GMT

I never saw this screen in Office 2007 before.

My first instinct was to think that it was a cleverly disguised trojan horse, but it's a legitimate tool.

Technorati Tags: Office 2007,Tools

Strange Spam Behavior

Frank — Tue, 29 Apr 2008 16:43:00 GMT

In the past two days, I've gotten well over 200 "Mail Returned" errors to email addresses I've never sent emails to.

Each one of these emails has an attachment, which I'm sure contains a virus payload.

Anyone else seeing this?

Technorati Tags: Spam,Email,Security

Asirra: Keeping Out Bots and Helping Homeless Pets

Frank — Thu, 20 Mar 2008 00:08:00 GMT

The CAPTCHA has been around for a while now.

We've all seen those images that pop up when you post to a blog or sign up for a free account online somewhere.

The trouble is that the spammers ability to programmatically recognize these distorted words is catching up.

The solution is to up the ante, by making the challenge harder.

How about deciding whether or not a picture contains a dog or cat?

That's what Asirra (Animal Species Image Recognition for Restricting Access) does.

Asirra is a CAPTCHA (or HIP, Human Interactive Proof) that works by asking users to identify photographs of cats and dogs.

This is a difficult task for computers, but that something people can do quickly and accurately.

Microsoft Research teamed up with Petfinder.com, the world's largest site devoted to finding homes for homeless pets.

PetFinder has a catalog of over three million images of cats and dogs, manually classified by people at thousands of animal shelters across the United States.

In exchange, Asirra provides a small "Adopt Me!" link beneath each photo, as well as wider exposure for animals needing homes.

Best of all, the site provides information on adding Asirra to your site to keep the spam bots out and help out animals in need.

Win win for everyone.

Technorati Tags: Asirra,CAPTCHA,HIP,PetFinder

Cyber Warfare in Progress?

Frank — Sun, 03 Feb 2008 11:37:00 GMT

I'm with Warner on this one, three cable cuts to one region in a week seems awfully suspicious.

First, it was two cables under the Mediterranean that caused internet service disruptions as far away as India, now it's a cable off the coast of Dubai.

It could just be a series of coincidences, but the odds of that are shrinking.

Technorati Tags: Internet,Dubai,Cable Cut,Cyber Warfare

Governments Prepare for Cyber "Cold War"

Frank — Tue, 04 Dec 2007 08:10:00 GMT

ZDNet UK has an article about how seriously governments around the world are taking computer security: both as a means of offense and looking into shoring up their defenses.

From the article:

Countries are currently testing the water to gauge the threat and potential for damage posed by their cyber-assaults, according to the 2007 Virtual Criminology Report produced by security firm McAfee.
[..]
Paller said attacks against the US military this year — reportedly made by China, although the Chinese have denied responsibility — resulted in the loss of large amounts of data. The data had, in part, been stolen from the NIPRNet, a US military network which is open to the internet and used for the transmission of non-classified documents.

Maybe computer security will be taken more seriously in the future, maybe not.

From security guru Bruce Schneier's Blog, where he and Marcus Ranum discuss what computer security will be like ten years from now (emphasis added)

at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective.

It's 2007 and we haven't seemed to accept that:

You can't turn shovelware into reliable software by patching it a whole lot.
You shouldn't mix production systems with non-production systems.
You actually have to know what's going on in your networks.
If you run your computers with an open execution runtime model you'll always get viruses, spyware and Trojan horses.
You can pass laws about locking barn doors after horses have left, but it won't put the horses back in the barn.
Security has to be designed in, as part of a system plan for reliability, rather than bolted on afterward.

The list could go on for several pages, but it would be too depressing. It would be "Marcus' list of obvious stuff that everybody knows but nobody accepts."
You missed one important aspect of the problem: By 2017, computers will be even more important to our lives, economies and infrastructure.

Back to the ZDNet article (emphasis added):

They [security experts] warn that a "cyber cold war" is developing, in which governments are using technology not only for the immediate benefit of gaining intelligence from stolen data but also to probe critical national infrastructures for possible weak points that could be exploited in the event of conflict.

In some ways, we, as developers, are somewhat responsible for bad security. We write the code that can get exploited. We have no control, however, over poor administration, password on Post-It notes, and PEBKAC errors .

We can, however, have a positive impact by thinking about security more. Make it part of our architectures, insist on security audits, press your leadership to allow time to security to be built into the application design, rather than an afterthought.

It may take a while, but in ten years, we'll either be ten years older and wiser or just ten years older.

Maybe we need a 21st century version of this WW2 era poster:

Technorati tags: Security, CyberWar, Infrastructure, Malware, Bruce Schneier

Real World Steganography

Frank — Mon, 19 Nov 2007 14:22:00 GMT

In 2004, I had worked on an RFP for a project (Kreskin) to detect images hidden in other types of files, a technique known as Steganography.

All the security experts I interviewed said that it would take several years for steganography to become a priority for IT security professionals, as it would take that long for it to become widely in use.

It's seems that steganography is growing in popularity in some criminal circles.

[found via Slashdot]

Technorati tags: Steganography, Security

Little Bobby Tables

Frank — Tue, 16 Oct 2007 17:00:00 GMT

Now, here is a great name for a kid.

For those not in the know, this joke refers to a SQL Injection attack, as always WikiPedia has more information on the subject.

Technorati tags: SQL Injection Attack, Humor, Cartoon, xkcd, Security