jorkeo - hosting geek : hosters

Fastlane Hosting Days Silverlight examples

jorkeo — Thu, 29 May 2008 02:01:55 GMT

For those that have visited my session at the hosting days "Silverlight for Web Hosters" here are the example sites that I used in the presentation.

Big Brother 08 - http://www.bigbrother.com.au/live-stream-sl.htm
ABC - http://shop.abc.net.au/browse/product.asp?productid=752400 (click preview)
Home Shopping Network - http://hsn.tv
BBC radio Deep Zoom - http://bigweekend.external.bbc.co.uk/
Hard Rock Cafe Memorabilia collection Deep Zoom - http://memorabilia.hardrock.com/
Chinese tapestry with intergrated storyboard - http://demos.e-crusade.com/TNM/TNM_Web/
Searching with Silverlight using a little know search engine :) - http://www.tabletpcpost.com/search/

If I find some more that demonstrate some interesting things, I'll make sure I add them.

- jorke

Technorati Tags: silverlight,hosting Days

Hacked Web Applications causing storm - rattling Windows...

jorkeo — Mon, 28 Apr 2008 16:01:35 GMT

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Technorati Tags: SQL Injection,Security Vunerability,IIS,Windows,Microsoft

MSExperts.org - a blog for.. er.. MS Experts

jorkeo — Wed, 06 Feb 2008 03:54:43 GMT

Cam told me about this blog a little ago and I've been following it so see what they're up to. I quite like the slogan - memoirs of a goldfish - make sure you blog it before you forget it forever.. although according to wikipedia - the myth of a goldfish having a 3 second memory is false..

There is really great quality posts there that address problems that a bunch of IT professionals run into every day of the week.

Check out some of the posts by Mark Rhodes - cracking good stuff for SharePoint.

- jorke

Technorati Tags: MSexperts,sharepoint,community

iis7forheroes.com - from Emantra

jorkeo — Wed, 23 Jan 2008 10:07:00 GMT

The guys at Emantra pinged me today with a project we've been talking about for a while, and I'm stoked these guys have pulled this off!

Go to their site http://iis7forheroes.com/ and get yourself some of:

The first SHARED IIS7.0 web hosting in Australia! (that I know of!)

Well done to Cam, Russ and Ross for a job well done, where can I get a shirt like the guy in the picture? :)

- jorke

Technorati Tags: emantra,hosting,iis7,iis7.0,windows server 2008

ISV Innovation Days

jorkeo — Wed, 03 Oct 2007 05:06:14 GMT

This is a great opportunity for hosters to network with Independent Software Vendors (ISV's) - as we all know that hosters are the platform of the future.

Here are the details from Luisa in our partner team:

ISV Innovation Days will allow you to connect with the Microsoft ISV Virtual Team (including representatives from the Microsoft Partner Team; and our Developer Platform Evangelism - DPE) and learn about the advantages and resources of becoming an early adopter for the 2008 launch wave products (Windows Server 2008, Visual Studio 2008, SQL Server 2008) in a relaxed workshop environment.

The Agenda includes New Opportunities with the 2008 Product Launch (for senior management), Whats new in Visual Studio 2008 & .NET Framework for Smart Client and Next Generation Web Development, What’s new in Windows Server 2008 for ISVs, What's Hot in SQL Server 2008 for our Customers and ISVs, and Integrating Business Solutions with Microsoft Office SharePoint

• Register Today in a city near you!

• Brisbane: 20 November 2007 (Microsoft Brisbane Office, Level 9, Waterfront Place, 1 Eagle Street, Brisbane, Queensland 4000)

• Melbourne: 27 November 2007 (Microsoft Melbourne Office, Level 5, 4 Freshwater Place, Southbank Victoria 3006)

• Sydney: 3 December 2007 (Department of State and Regional Development, Parkes Room, Level 47, MLC Centre, 19 Martin Place, Sydney New South Wales 2000)

• Perth: 6 December 2007 (Perth Microsoft Office, Level 14 QV1 Building, 250 St Georges Terrace, Perth Western Australia 6000)

• Adelaide: 7 December 2007 (Adelaide Microsoft Office, Level 2 Santos Building, 91 King William Street Adelaide South Australia 5000)

P.S. – in the afternoon, partners will have the opportunity for partnering with Microsoft in the healthcare industry. We’ll give you an overview of the significant investments Microsoft is making in healthcare around the world including the Connected Health Framework, Common User Interface and Health Connection Engine. You’ll also see real examples of exciting mobile devices and applications and learn why Microsoft and Intel together provide the ultimate platform for mobility in healthcare.

- jorke