Neil Carpenter's Blog

Forefront products, WSUS, Security Incident Response, and whatever else comes up.

Neil Carpenter's Blog

  • Incident Response: The Importance of Anti-Virus

    Heading home from the CSS Security Global Summit on Friday, I got stuck in Cincinnati’s airport. While walking through baggage claim, I saw this displayed on the arrivals board: (I didn’t have a proper camera with me so, if that’s hard to read, it...
  • SQL Injection Hijinks

    or Why I Keep Harping On Blacklisting Summary: An incident reveals attempts to get around blacklisting by manipulating behavior in ASP, illustrating the weakness of blacklist approaches. A new version of UrlScan is shipping today with a change...
  • PASSGEN

    Occasionally, I see a security incident where one of the things that went wrong was that all of the customer's machines have the same password for the built-in administrator's account.  Whenever this happens, I suggest the PASSGEN tool that was included...
  • Err

    I might be the last person to know this but one of my favorite internal Microsoft tools is now external. Err.exe is a command-line tool that looks up error codes and spits out possible matches from various header files. This is invaluable when you're...
  • Input Validation Is Not The Answer

    I just sent a piece of e-mail to my team about input validation and SQL injection and it occurred to me that I've been meaning to get into this here, too: If you're trying to solve a SQL injection problem, input validation is NOT the answer! There, I...
  • Forefront Server Security Management Console, Templates, and Revisions

    Sometimes, working in support, you come across a best practice or a bit of knowledge that is well-known to some people...but that bit of knowledge has never actually been documented. Today was one of those days. While working in an environment with...
  • Does This Make Me A Fanboy?

    I upgraded my iPhone to the 2.0 firmware today and I've been playing with the app store all day. It's pretty neat stuff. Since I'm on a conference call tonight but I'm only here in an advisory/observational way, I put my phone on mute and kept playing...
  • Antigen 9.1 Hotfix Rollup 3 and Performance Monitor

    While investigating an issue where mail was queuing in the Exchange Information Store, we discovered an issue that affects customers running Antigen 9.1 Hotfix Rollup 3 when there are performance monitoring tools such as Perfmon, Perfwiz, and the MOM...
  • SQL Storm: Possible ASP.Net

    I’ve had an unconfirmed report that the SQL Storm attacks are now also affecting ASP.Net pages, specifically with a  URL of http://www.chliyi.com/m.js (this appears to be offline currently but I wouldn't suggest browsing there...) being injected...
  • SQL Injection: Trends & Guidance

    I've been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users.  That article is posted at sql-injection-attack.aspx . For developers, specifically, Bala...
  • SQLInjectionFinder

    My colleague Greg , who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it...
  • SQL Injection Mitigation: Using Parameterized Queries part 2 (types and recordsets)

    (Part 1 is here ) Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters. It also created a read-only ADODB.RecordSet which, obviously...
  • SQL Injection Mitigation: Using Parameterized Queries

    Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection . He walks through three coding requirements/defenses: Use SQL Parameterized Queries Use Stored Procedures Use SQL Execute-only Permissions As Michael...
  • SQL Injection -- A Comment

    Kumar comments here and I think he has some questions/concerns that are worth addressing.  I'm going to add my own comments (and, please note, the comments I make here are my own and do not necessarily reflect Microsoft's corporate opinions). --...
  • Mass SQL Injection -- Get Used To It

    It looks like another wave of the mass SQL injection I talked about last month is going on.  The inserted link is different and, in the one specific incident I've seen, the source IP address is different; however, other than that, the attack looks...
  • Good News

    The good news is that, whatever else might happen, these guys won't get pwned by SQL injection.   (Via GrumpySecurityGuy .)
  • Anatomy of a SQL Injection Incident, Part 2: Meat

    Intro It would appear that the incident I wrote about yesterday is still ongoing. I've been using a search engine to query for the *.js file that's being injected and it looks something like this: Wednesday: 10K hits (This is Avert's number. I didn't...
  • Anatomy of a SQL Injection Incident

    A number of people are reporting that 10K+ websites have been hacked via a SQL injection attack that injected a link to a malicious .js file into text fields in their database. For example, here's Avert Labs report . The reports that I've seen talk about...
  • LogParser, Event Logs, and Vista

    LogParser is one of my absolute favorite tools, particularly for doing incident response. I use it a lot to extract and order data into a timeline (hmmm...that's a good topic for a future post). When I moved to Vista, I found one annoyance, though...
  • Rating Music (iTunes Edition)

    I have a large collection of music, all of which is (finally) in iTunes. I'd like to rate all of it but it's somewhat cumbersome to flip back and forth from whatever app I'm in to iTunes in order to click on the little star icons while I'm listening to...
  • Detecting ARP Spoofing Attacks

    After investigating an ARP spoofing incident recently, I started thinking of how we could easily ferret out this sort of information when responding to a potential incident. In this particular case, there were two important parts of the attack: ARP spoofing...
  • Microlending

    I commute about 90 minutes a day, total, on an average day. I spend most of the commute listening to some combination of local talk radio (WBT 1100), NPR, Fox, and the BBC World Service. I think of it as a sort of yin-yang radio diet. Yesterday afternoon...
  • ARP Cache Poisoning Incident

    I recently worked on an interesting incident response with several of my colleagues. The problem, as defined by the customer, is that the following code is being injected into some websites (both external and internal to his environment) that his users...
  • Reboot

    I started blogging on MSDN back in 2004 with the best of intentions. I was working with the Engineering Services team as 'the network guy' and I was involved in a lot of interesting cases working with our customers on deep networking issues, so I felt...
  • It's the New Phone

    I finally lost my patience with my old mobile provider last week & decided it was time for a change. While I was changing, I decided that maybe it was time for a Smartphone... Wow. It definitely isn't perfect yet, but this is by far the best mobile...