Neil Carpenter's Blog

Forefront products, WSUS, Security Incident Response, and whatever else comes up.

Neil Carpenter's Blog

  • Anatomy of a SQL Injection Incident, Part 2: Meat

    Intro It would appear that the incident I wrote about yesterday is still ongoing. I've been using a search engine to query for the *.js file that's being injected and it looks something like this: Wednesday: 10K hits (This is Avert's number. I didn't...
  • It's the New Phone

    I finally lost my patience with my old mobile provider last week & decided it was time for a change. While I was changing, I decided that maybe it was time for a Smartphone... Wow. It definitely isn't perfect yet, but this is by far the best mobile...
  • Anatomy of a SQL Injection Incident

    A number of people are reporting that 10K+ websites have been hacked via a SQL injection attack that injected a link to a malicious .js file into text fields in their database. For example, here's Avert Labs report . The reports that I've seen talk about...
  • Detecting ARP Spoofing Attacks

    After investigating an ARP spoofing incident recently, I started thinking of how we could easily ferret out this sort of information when responding to a potential incident. In this particular case, there were two important parts of the attack: ARP spoofing...
  • Network Sniffing Tools

    Intro Network sniffing is a major part of my life -- I've probably pored over, on average, a trace a day every day for the past seven years. This is an area where having the right tool is of the upmost importance as a good tool can cut hours (or even...
  • Quick Figuring Optimal TCP Window Size

    There generally isn't a single correct way to figure out the optimal TCP window for an interface since you're probably connecting to different hosts across different links at different latencies; however, you can roughly guess what the optimal window...
  • PASSGEN

    Occasionally, I see a security incident where one of the things that went wrong was that all of the customer's machines have the same password for the built-in administrator's account.  Whenever this happens, I suggest the PASSGEN tool that was included...
  • SQL Injection -- A Comment

    Kumar comments here and I think he has some questions/concerns that are worth addressing.  I'm going to add my own comments (and, please note, the comments I make here are my own and do not necessarily reflect Microsoft's corporate opinions). --...
  • Categorizing Packet Loss

    I've quite frequently run into situations where I've been asked to diagnose packet loss based only on a network trace. While it is almost impossible to find an exact answer, a network trace can provide some valuable clues about the cause of the packet...
  • Bio

    I recently realized that I spend a lot of time writing about things that I know only a little about (like politics) and very little time writing about the things that I do know something about. This blog is an attempt to balance that, and to let my geeky...
  • SMB/CIFS Performance Over WAN Links

    I often have customers who ask me to wrestle with the performance of SMB (otherwise known as CIFS) across a WAN link. Their experience is usually that file transfers from Windows Explorer or from the command prompt don't meet their expectations of their...
  • SMB Perf articles

    I've been working a lot with file sharing performance, and I'm trying to write a few essays on those experiences. The first, on SMB Performance , is up now. When I have some more time, I'm going to write a bit on the impact of packet loss on SMB connections...
  • Network Sniffing Tools

    Posted on my favorite network sniffing tools .
  • Disclaimer

    These postings are provided "AS IS" with no warranties, and confers no rights. The content of this site are my own personal opinions and do not represent my employer's view in anyway. In addition, my thoughts and opinions often change, and as a weblog...
  • Finding Retransmits in Ethereal

    With the full version of Netmon, it's relatively easy to find retransmitted packets with the expert; however, in Ethereal, it's not quite as clear... Ethereal supports analysis of TCP sequence numbers to find retransmits & do other neat things;...
  • Conversations

    My favorite cartoonist wrote something that started me thinking... “All products are conversations.” I suppose that, in terms of product support, this is self-evident. Every product we ship results in a conversation with support....
  • Rating Music (iTunes Edition)

    I have a large collection of music, all of which is (finally) in iTunes. I'd like to rate all of it but it's somewhat cumbersome to flip back and forth from whatever app I'm in to iTunes in order to click on the little star icons while I'm listening to...
  • LogParser, Event Logs, and Vista

    LogParser is one of my absolute favorite tools, particularly for doing incident response. I use it a lot to extract and order data into a timeline (hmmm...that's a good topic for a future post). When I moved to Vista, I found one annoyance, though...
  • Good News

    The good news is that, whatever else might happen, these guys won't get pwned by SQL injection.   (Via GrumpySecurityGuy .)
  • Mass SQL Injection -- Get Used To It

    It looks like another wave of the mass SQL injection I talked about last month is going on.  The inserted link is different and, in the one specific incident I've seen, the source IP address is different; however, other than that, the attack looks...
  • Reboot

    I started blogging on MSDN back in 2004 with the best of intentions. I was working with the Engineering Services team as 'the network guy' and I was involved in a lot of interesting cases working with our customers on deep networking issues, so I felt...
  • ARP Cache Poisoning Incident

    I recently worked on an interesting incident response with several of my colleagues. The problem, as defined by the customer, is that the following code is being injected into some websites (both external and internal to his environment) that his users...
  • Microlending

    I commute about 90 minutes a day, total, on an average day. I spend most of the commute listening to some combination of local talk radio (WBT 1100), NPR, Fox, and the BBC World Service. I think of it as a sort of yin-yang radio diet. Yesterday afternoon...
  • SQL Injection Mitigation: Using Parameterized Queries

    Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection . He walks through three coding requirements/defenses: Use SQL Parameterized Queries Use Stored Procedures Use SQL Execute-only Permissions As Michael...
  • SQL Injection Mitigation: Using Parameterized Queries part 2 (types and recordsets)

    (Part 1 is here ) Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters. It also created a read-only ADODB.RecordSet which, obviously...