Yesterday, Dropbox, which is a very popular file syncing utility that stores user’s data in the cloud, announced that it would decrypt and hand over files if the U.S. Government requested it.
The issue I have with this is not that they would give the requested data to the Feds, they really have no choice if the Feds have a warrant, buts its that Dropbox employees even have the ability to decrypt user’s data in the first place.
Maybe I am paranoid, but I do not like the idea that the employees of data storage companies have the ability to see my files. It seems to me that there now is a place in the market for another “Dropbox” like company, but one that gives the user control over its own encryption key.
Sure, there are tools out there that can be used to encrypt data before it even reaches the Dropbox servers. The first one that comes to mind is the wonderful, feature rich, and absolutely free tool called Truecrypt. However, using that with Dropbox its a hassle at best, not to mention that it would make the smartphone app completely useless.
Dropbox, we all love your service and you provide a great cloud storage solution, but please for the love of God, give us control over our own encryption keys. Give us the ability to ensure that we are the only ones that can access our data.
Below is a link to another article about this topic from PCWorld.com
Update: Dropbox Will Hand Over Your Files to the Feds If Asked
Wednesday, April 20, 2011
Wednesday, January 19, 2011
How to Crack almost any App on a Mac (and How to Prevent it)
How to Crack Just About Any Mac App (and How to Prevent It)
While the Mac is rarely targeted for security exploits and viruses, it's no stranger to software piracy—likely because Mac apps are pretty easy to crack. Here's how it can be done and how to prevent it.
How I'd Crack Your Mac App
Well, not you specifically, but by you I mean the average Mac developer. It's too easy to crack Mac apps. Way too easy. By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me. I'll be ending this article with some tips to prevent this kind of hack.
In order to follow along you're going to need a few command line utilities. You're going to need the Xcode tools installed. And, lastly, you're going to need an app to operate on. I will not explicitly name the app here but I chose it because it made a good example.
Let's start by making sure we have the two utilities we need: otx and class-dump. I like to use Homebrew as my package manager of choice. Note that I will use command line utilities only, including vim. If you prefer GUIs, feel free to use your code editor of choice, HexFiend and otx's GUI app.
$ sudo brew install otx
$ sudo brew install class-dump
The first step is to poke into the target app's headers, gentlemanly left intact by the unwitting developer.
$ cd Exces.app/Contents/MacOS
$ class-dump Exces | vim
Browse around, and find the following gem:
@interface SSExcesAppController : NSObject
{
[...]
BOOL registred;
[...]
- (void)verifyLicenseFile:(id)arg1;
- (id)verifyPath:(id)arg1;
- (BOOL)registred;
What do we have here?! A (badly spelt) variable and what looks like three methods related to registration. We can now focus our efforts around these symbols. Let's continue poking by disassembling the source code for these methods.
$ otx Exces -arch i386
Note that Exces is a universal binary, and that we need to ensure we only deal with the active architecture. In this case, Intel's i386. Let us find out what verifyLicenseFile: does.
-(void)[SSExcesAppController verifyLicenseFile:]
[...]
+34 0000521e e8c21e0100 calll 0x000170e5 -[(%esp,1) verifyPath:]
+39 00005223 85c0 testl %eax,%eax
+41 00005225 0f84e2000000 je 0x0000530d
[...]
+226 000052de c6472c01 movb $0x01,0x2c(%edi) (BOOL)registred
[...]
This is not straight Objective-C code, but rather assembly (what C compiles into). The first part of each line, the offset, +34, shows how many bytes into the method the instruction is. 0000521e is the address of the instruction within the program. e8c21e0100 is the instruction in byte code. calll 0x000170e5 is the instruction in assembly language. -[(%esp,1) verifyPath:] is what otx could gather the instruction to represent in Obj-C from the symbols left within the binary.
With this in mind, we can realize that verifyLicenseFile: calls the method verifyPath: and later sets the boolean instance variable registred. We can guess that verifyPath: is probably the method that checks the validity of a license file. We can see from the header that verifyPath: returns an object and thus would be way too complex to patch. We need something that deals in booleans.
Let's launch Exces in the gdb debugger and check when verifyLicenseFile: is called.
$ gdb Exces
(gdb) break [SSExcesAppController verifyLicenseFile:]
Breakpoint 1 at 0x5205
(gdb) run
No bite. The breakpoint is not hit on startup. We can assume that there's a good reason why verifyLicenseFile: and verifyPath: are two separate methods. While we could patch verifyLicenseFile: to always set registred to true, verifyLicenseFile: is probably called only to check license files entered by the user. Quit gdb and let's instead search for another piece of code that calls verifyPath:. In the otx dump, find the following in awakeFromNib:
-(void)[SSExcesAppController awakeFromNib]
[...]
+885 00004c8c a1a0410100 movl 0x000141a0,%eax verifyPath:
+890 00004c91 89442404 movl %eax,0x04(%esp)
+894 00004c95 e84b240100 calll 0x000170e5 -[(%esp,1) verifyPath:]
+899 00004c9a 85c0 testl %eax,%eax
+901 00004c9c 7409 je 0x00004ca7
+903 00004c9e 8b4508 movl 0x08(%ebp),%eax
+906 00004ca1 c6402c01 movb $0x01,0x2c(%eax) (BOOL)registred
+910 00004ca5 eb7d jmp 0x00004d24 return;
[...]
The code is almost identical to verifyLicenseFile:. Here's what happens:
1. verifyPath: is called. (+894 calll)
2. A test happens based on the result of the call. (+899 testl)
3. Based on the result of the text, jump if equal. (+901 je) A test followed by a je or jne (jump if not equal) is assembly-speak for an if statement.
4. The registred ivar is set, if we have not jumped away.
Since awakeFromNib is executed at launch, we can safely assume that if we override this check, we can fool the app into thinking it's registered. The easiest way to do that is to change the je into a jne, essentially reversing its meaning.
Search the dump for any jne statement, and compare it to the je:
+901 00004c9c 7409 je 0x00004ca7
+14 00004d9f 7534 jne 0x00004dd5 return;
7409 is the binary code for je 0x00004ca7. 7534 is a similar binary code. If we simply switch the binary code for the je to 7534, at address 00004c9c, we should have our crack. Let's test it out in gdb.
$ gdb Exces
(gdb) break [SSExcesAppController awakeFromNib]
Breakpoint 1 at 0x4920
(gdb) r
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0974
We break on awakeFromNib so we're able to fiddle around while the app is frozen. x/x reads the code in memory at the given address.Now here's the confusing thing to be aware of: endianness. While on disk, the binary code is normal, intel is a little-endian system which puts the most significant byte last, and thus reverses every four-byte block in memory. so while the code at address 0x4c9c is printed as 0x458b0974, it's actually 0x74098b45. We recognize the first two bytes 7409 from earlier.
We need to switch the first two bytes to 7534. Let's start by disassembling the method so we can better see our way around. Find the relevant statement:
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: je 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Now let's edit code in memory.
(gdb) set {char}0x00004c9c=0x75
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0975
(gdb) set {char}0x00004c9d=0x34
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b3475
Here we set the first byte at 0x00004c9c. By simply counting in hexadecimal, we know that the next byte goes at address 0x00004c9d, and set it as such. Let's disassemble again to check if the change was done right.
(gdb) disas
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4cd2 <-[SSExcesAppController awakeFromNib]+955>
Whoops, we made a mistake and changed the destination of the jump from +912 to +955. We realize that the first byte (74) of the byte code stands for the je/jne and the second byte is the offset, or how many bytes to jump by. We should only have changed 74 to 75, and not 09 to 34. Let's fix our mistake.
(gdb) set {char}0x00004c9c=0x75
(gdb) set {char}0x00004c9d=0x09
And check again…
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Hooray! This looks good! Let's execute the app to admire our crack.
(gdb) continue
Awesome! Victory! We're in, and the app thinks we're a legitimate customer. Well, not quite. We still need to make our change permanent. As it currently stands, everything will be erased as soon as we quit gdb. We need to edit the code on disk, in the actual binary file. Let's find a chunk of our edited binary big enough that it likely won't be repeated in the whole binary.
(gdb) x/8x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0975 0x2c40c608 0x8b7deb01 0xa4a10855
0x4cac <-[SSExcesAppController awakeFromNib]+917>: 0x89000141 0x89082454 0x89042444 0x26e82414
That's the memory representation of the code, a whole 8 blocks of four bytes starting at 0x00004c9c. Taking endianness into account, we must reverse them and we get the following:
0x75098b45 0x08c6402c 0x01eb7d8b 0x5508a1a4
0x41010089 0x54240889 0x44240489 0x1424e826
The very first byte of the series is the 74 that we switched into 75. By changing it back, we can deduce the original binary code to be:
0x74098b45 0x08c6402c 0x01eb7d8b 0x5508a1a4
0x41010089 0x54240889 0x44240489 0x1424e826
Let's open the binary in a hex editor. I used vim, but feel free to use any hex editor at this point. HexFiend has a great GUI.
(gdb) quit
$ vim Exces
This loads up the binary as ascii text, which is of little help. Convert it to hex thusly:
:%!xxd
vim formats hex like this:
0000000: cafe babe 0000 0002 0000 0012 0000 0000 ................
The first part, before the colon, is the address of block. Following it are 16 bytes, broken off in two-byte segments. Incidentally, every Mach-O binary starts with the hex bytes cafebabe. Drunk Kernel programmers probably thought it'd be funny. Now that we have our beautiful hex code loaded up, let's search for the first two bytes of our code to replace:
/7409
Too many results to make sense of. Let's add another two bytes. Search for "7409 8b45" instead and boom, only one result:
001fc90: 0089 4424 04e8 4b24 0100 85c0 7409 8b45 ..D$..K$....t..E
Edit it to the following:
001fc90: 0089 4424 04e8 4b24 0100 85c0 7509 8b45 ..D$..K$....t..E
Convert it back to binary form, then save and quit:
:%!xxd -r
:wq
And… We're done! To check our work, launch the app in gdb, break to [SSExcesAppController awakeFromNib] and disassemble.
$ gdb Exces
(gdb) break [SSExcesAppController awakeFromNib]
Breakpoint 1 at 0x4c90
(gdb) r
(gdb) disas
Admire our work:
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Quit gdb and relaunch the app from the Finder, and enjoy your awesome hacker skills.
How to Prevent This
Objective-C makes it really easy to mess with an app's internals. Try to program the licensing mechanism for your app in pure C, that will already make it harder for me to find my way around your binary.
A truly skilled hacker will always find his way around your protection, but implementing a bare minimum of security will weed out 99% of amateurs. I am somewhat of a skilled hacker but with some very basic knowledge I tore this app apart in no time. Implementing the various easy tips above takes very little time, yet you would have made it enough of a pain for me that I would have given up.
While the Mac is rarely targeted for security exploits and viruses, it's no stranger to software piracy—likely because Mac apps are pretty easy to crack. Here's how it can be done and how to prevent it.
How I'd Crack Your Mac App
Well, not you specifically, but by you I mean the average Mac developer. It's too easy to crack Mac apps. Way too easy. By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me. I'll be ending this article with some tips to prevent this kind of hack.
In order to follow along you're going to need a few command line utilities. You're going to need the Xcode tools installed. And, lastly, you're going to need an app to operate on. I will not explicitly name the app here but I chose it because it made a good example.
Let's start by making sure we have the two utilities we need: otx and class-dump. I like to use Homebrew as my package manager of choice. Note that I will use command line utilities only, including vim. If you prefer GUIs, feel free to use your code editor of choice, HexFiend and otx's GUI app.
$ sudo brew install otx
$ sudo brew install class-dump
The first step is to poke into the target app's headers, gentlemanly left intact by the unwitting developer.
$ cd Exces.app/Contents/MacOS
$ class-dump Exces | vim
Browse around, and find the following gem:
@interface SSExcesAppController : NSObject
{
[...]
BOOL registred;
[...]
- (void)verifyLicenseFile:(id)arg1;
- (id)verifyPath:(id)arg1;
- (BOOL)registred;
What do we have here?! A (badly spelt) variable and what looks like three methods related to registration. We can now focus our efforts around these symbols. Let's continue poking by disassembling the source code for these methods.
$ otx Exces -arch i386
Note that Exces is a universal binary, and that we need to ensure we only deal with the active architecture. In this case, Intel's i386. Let us find out what verifyLicenseFile: does.
-(void)[SSExcesAppController verifyLicenseFile:]
[...]
+34 0000521e e8c21e0100 calll 0x000170e5 -[(%esp,1) verifyPath:]
+39 00005223 85c0 testl %eax,%eax
+41 00005225 0f84e2000000 je 0x0000530d
[...]
+226 000052de c6472c01 movb $0x01,0x2c(%edi) (BOOL)registred
[...]
This is not straight Objective-C code, but rather assembly (what C compiles into). The first part of each line, the offset, +34, shows how many bytes into the method the instruction is. 0000521e is the address of the instruction within the program. e8c21e0100 is the instruction in byte code. calll 0x000170e5 is the instruction in assembly language. -[(%esp,1) verifyPath:] is what otx could gather the instruction to represent in Obj-C from the symbols left within the binary.
With this in mind, we can realize that verifyLicenseFile: calls the method verifyPath: and later sets the boolean instance variable registred. We can guess that verifyPath: is probably the method that checks the validity of a license file. We can see from the header that verifyPath: returns an object and thus would be way too complex to patch. We need something that deals in booleans.
Let's launch Exces in the gdb debugger and check when verifyLicenseFile: is called.
$ gdb Exces
(gdb) break [SSExcesAppController verifyLicenseFile:]
Breakpoint 1 at 0x5205
(gdb) run
No bite. The breakpoint is not hit on startup. We can assume that there's a good reason why verifyLicenseFile: and verifyPath: are two separate methods. While we could patch verifyLicenseFile: to always set registred to true, verifyLicenseFile: is probably called only to check license files entered by the user. Quit gdb and let's instead search for another piece of code that calls verifyPath:. In the otx dump, find the following in awakeFromNib:
-(void)[SSExcesAppController awakeFromNib]
[...]
+885 00004c8c a1a0410100 movl 0x000141a0,%eax verifyPath:
+890 00004c91 89442404 movl %eax,0x04(%esp)
+894 00004c95 e84b240100 calll 0x000170e5 -[(%esp,1) verifyPath:]
+899 00004c9a 85c0 testl %eax,%eax
+901 00004c9c 7409 je 0x00004ca7
+903 00004c9e 8b4508 movl 0x08(%ebp),%eax
+906 00004ca1 c6402c01 movb $0x01,0x2c(%eax) (BOOL)registred
+910 00004ca5 eb7d jmp 0x00004d24 return;
[...]
The code is almost identical to verifyLicenseFile:. Here's what happens:
1. verifyPath: is called. (+894 calll)
2. A test happens based on the result of the call. (+899 testl)
3. Based on the result of the text, jump if equal. (+901 je) A test followed by a je or jne (jump if not equal) is assembly-speak for an if statement.
4. The registred ivar is set, if we have not jumped away.
Since awakeFromNib is executed at launch, we can safely assume that if we override this check, we can fool the app into thinking it's registered. The easiest way to do that is to change the je into a jne, essentially reversing its meaning.
Search the dump for any jne statement, and compare it to the je:
+901 00004c9c 7409 je 0x00004ca7
+14 00004d9f 7534 jne 0x00004dd5 return;
7409 is the binary code for je 0x00004ca7. 7534 is a similar binary code. If we simply switch the binary code for the je to 7534, at address 00004c9c, we should have our crack. Let's test it out in gdb.
$ gdb Exces
(gdb) break [SSExcesAppController awakeFromNib]
Breakpoint 1 at 0x4920
(gdb) r
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0974
We break on awakeFromNib so we're able to fiddle around while the app is frozen. x/x reads the code in memory at the given address.Now here's the confusing thing to be aware of: endianness. While on disk, the binary code is normal, intel is a little-endian system which puts the most significant byte last, and thus reverses every four-byte block in memory. so while the code at address 0x4c9c is printed as 0x458b0974, it's actually 0x74098b45. We recognize the first two bytes 7409 from earlier.
We need to switch the first two bytes to 7534. Let's start by disassembling the method so we can better see our way around. Find the relevant statement:
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: je 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Now let's edit code in memory.
(gdb) set {char}0x00004c9c=0x75
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0975
(gdb) set {char}0x00004c9d=0x34
(gdb) x/x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b3475
Here we set the first byte at 0x00004c9c. By simply counting in hexadecimal, we know that the next byte goes at address 0x00004c9d, and set it as such. Let's disassemble again to check if the change was done right.
(gdb) disas
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4cd2 <-[SSExcesAppController awakeFromNib]+955>
Whoops, we made a mistake and changed the destination of the jump from +912 to +955. We realize that the first byte (74) of the byte code stands for the je/jne and the second byte is the offset, or how many bytes to jump by. We should only have changed 74 to 75, and not 09 to 34. Let's fix our mistake.
(gdb) set {char}0x00004c9c=0x75
(gdb) set {char}0x00004c9d=0x09
And check again…
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Hooray! This looks good! Let's execute the app to admire our crack.
(gdb) continue
Awesome! Victory! We're in, and the app thinks we're a legitimate customer. Well, not quite. We still need to make our change permanent. As it currently stands, everything will be erased as soon as we quit gdb. We need to edit the code on disk, in the actual binary file. Let's find a chunk of our edited binary big enough that it likely won't be repeated in the whole binary.
(gdb) x/8x 0x00004c9c
0x4c9c <-[SSExcesAppController awakeFromNib]+901>: 0x458b0975 0x2c40c608 0x8b7deb01 0xa4a10855
0x4cac <-[SSExcesAppController awakeFromNib]+917>: 0x89000141 0x89082454 0x89042444 0x26e82414
That's the memory representation of the code, a whole 8 blocks of four bytes starting at 0x00004c9c. Taking endianness into account, we must reverse them and we get the following:
0x75098b45 0x08c6402c 0x01eb7d8b 0x5508a1a4
0x41010089 0x54240889 0x44240489 0x1424e826
The very first byte of the series is the 74 that we switched into 75. By changing it back, we can deduce the original binary code to be:
0x74098b45 0x08c6402c 0x01eb7d8b 0x5508a1a4
0x41010089 0x54240889 0x44240489 0x1424e826
Let's open the binary in a hex editor. I used vim, but feel free to use any hex editor at this point. HexFiend has a great GUI.
(gdb) quit
$ vim Exces
This loads up the binary as ascii text, which is of little help. Convert it to hex thusly:
:%!xxd
vim formats hex like this:
0000000: cafe babe 0000 0002 0000 0012 0000 0000 ................
The first part, before the colon, is the address of block. Following it are 16 bytes, broken off in two-byte segments. Incidentally, every Mach-O binary starts with the hex bytes cafebabe. Drunk Kernel programmers probably thought it'd be funny. Now that we have our beautiful hex code loaded up, let's search for the first two bytes of our code to replace:
/7409
Too many results to make sense of. Let's add another two bytes. Search for "7409 8b45" instead and boom, only one result:
001fc90: 0089 4424 04e8 4b24 0100 85c0 7409 8b45 ..D$..K$....t..E
Edit it to the following:
001fc90: 0089 4424 04e8 4b24 0100 85c0 7509 8b45 ..D$..K$....t..E
Convert it back to binary form, then save and quit:
:%!xxd -r
:wq
And… We're done! To check our work, launch the app in gdb, break to [SSExcesAppController awakeFromNib] and disassemble.
$ gdb Exces
(gdb) break [SSExcesAppController awakeFromNib]
Breakpoint 1 at 0x4c90
(gdb) r
(gdb) disas
Admire our work:
0x00004c9c <-[SSExcesAppController awakeFromNib]+901>: jne 0x4ca7 <-[SSExcesAppController awakeFromNib]+912>
Quit gdb and relaunch the app from the Finder, and enjoy your awesome hacker skills.
How to Prevent This
Objective-C makes it really easy to mess with an app's internals. Try to program the licensing mechanism for your app in pure C, that will already make it harder for me to find my way around your binary.
A truly skilled hacker will always find his way around your protection, but implementing a bare minimum of security will weed out 99% of amateurs. I am somewhat of a skilled hacker but with some very basic knowledge I tore this app apart in no time. Implementing the various easy tips above takes very little time, yet you would have made it enough of a pain for me that I would have given up.
Wednesday, November 3, 2010
Testing for SQL Injection Vulnerabilities
SQL Injection attacks pose tremendous risks to web applications that depend upon a database backend to generate dynamic content. In this type of attack, hackers manipulate a web application in an attempt to inject their own SQL commands into those issued by the database. In this article, we take a look at several ways you can test your web applications to determine whether they're vulnerable to SQL Injection attacks.
Automated SQL Injection Scanning
One possibility is using an automated web application vulnerability scanner, such as HP's WebInspect, IBM's AppScan or Cenzic's Hailstorm. These tools all offer easy, automated ways to analyze your web applications for potential SQL Injection vulnerabilities. However, they're quite expensive, running at up to $25,000 per seat.
Manual SQL Injection Tests
What’s a poor application developer to do? You can actually run some basic tests to evaluate your web applications for SQL Injection vulnerabilities using nothing more than a web browser. First, a word of caution: the tests I describe only look for basic SQL Injection flaws. They won't detect advanced techniques and are somewhat tedious to use. If you can afford it, go with an automated scanner. However, if you can't handle that price tag, manual testing is a great first step.
The easiest way to evaluate whether an application is vulnerable is to experiment with innocuous injection attacks that won't actually harm your database if they succeed but will provide you with evidence that you need to correct a problem. For example, suppose you had a simple web application that looks up an individual in a database and provides contact information as a result. That page might use the following URL format:
http://myfakewebsite.com/directory.asp?lastname=trehern&firstname=jeff
We can assume that this page performs a database lookup, using a query similar to the following:
SELECT phone
FROM directory
WHERE lastname = 'trehern' and firstname= 'jeff'
Let's experiment with this a bit. With our assumption above, we can make a simple change to the URL that tests for SQL injection attacks:
http://myfakewebsite.com/directory.asp?lastname=trehern&firstname=jeff'+AND+(select+count(*)+from+fake)+%3e0+OR+'1'%3d'1
If the web application hasn't been properly protected against SQL injection, it simply plugs this fake first name into the SQL statement it executes against the database, resulting in:
SELECT phone
FROM directory
WHERE lastname = 'trehern' and firstname='jeff'
AND (select count(*) from fake)> 0
OR '1'='1'
You'll notice that the syntax above is a little different than that in the original URL. I took the liberty of converting the URL-encoded variable for their ASCII equivalents to make it easier to follow the example. For example, %3d is the URL-encoding for the '=' character. I also added some line breaks for similar purposes.
Evaluating the Results
The test comes when you try to load the webpage with the URL listed above. If the web application is well-behaved, it will strip out the single quotes from the input before passing the query to the database. This will simply result in a weird lookup for someone with a first name that includes a bunch of SQL! You'll see an error message from the application similar to the one below:
Error: No user found with name jeff+AND+(select+count(*)+from+fake)+%3e0+OR+1%3d1 trehern!
On the other hand, if the application is vulnerable to SQL injection, it will pass the statement directly to the database, resulting in one of two possibilities. First, if your server has detailed error messages enabled (which you shouldn't!), you'll see something like this:
Microsoft OLE DB Provider for ODBC Drivers error '80040e37'
[Microsoft][ODBC SQL Server Driver][SQL Server]Invalid object name 'fake'.
/directory.asp, line 13
On the other hand, if your web server doesn't display detailed error messages, you'll get a more generic error, such as:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator to inform of the time the error occurred and of anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
If you receive either one of the two errors above, your application is vulnerable to SQL injection attack! Some steps that you can take to protect your applications against SQL Injection attacks include:
Implement parameter checking on all applications. For example, if you're asking someone to enter a customer number, make sure the input is numeric before executing the query.
Limit the permissions of the account that executes SQL queries. The rule of least privilege applies. If the account used to execute the query doesn't have permission to execute it, it will not succeed!
Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code.
Tuesday, November 2, 2010
SQL Injection
The vast majority of databases in use today have some form of web interface, allowing internal and/or external users easy access through familiar browser software. If you're security-conscious, you've undoubtedly spent a significant amount of time setting appropriate security permissions on your databases and web servers. Have you also considered the security of the code that powers the database-web interface?
One common type of database attack, the SQL Injection, allows a malicious individual to execute arbitrary SQL code on your server. Let's take a look at how it works by analyzing a very simple web application that processes customer orders. Suppose Acme Widgets has a simple page for existing customers where they simply enter their customer number to retrieve all of their current order information. The page itself might be a basic HTML form that contains a textbox called CustomerNumber and a submit button. When the form is submitted, the following SQL query is executed:
SELECT *
FROM Orders
WHERE CustomerNumber = CustomerNumber
The results of this query are then displayed on the results page. During a normal customer inquiry, this form works quite well. Suppose John visits the page and enters his customer ID (14). The following query would retrieve his results:
SELECT *
FROM Orders
WHERE CustomerNumber = 14
However, the same code can be a dangerous weapon in the hands of a malicious user. Imagine that Mal comes along and enters the following data in the CustomerNumber field: “14; DROP TABLE Orders”. This would cause the following query to execute:
SELECT *
FROM Orders
WHERE CustomerNumber = 14; DROP TABLE Orders
Obviously, this is not a good thing! There are several steps that you can take to protect your server against SQL Injection attacks:
Implement parameter checking on all applications. For example, if you’re asking someone to enter a customer number, make sure the input is numeric before executing the query. You may wish to go a step further and perform additional checks to ensure the customer number is the proper length, valid, etc.
Limit the permissions of the account that executes SQL queries. The rule of least privilege applies. If the account used to execute the query doesn’t have permission to drop tables, the table dropping will not succeed!
Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code.
As with many security principles, an ounce of prevention is worth a pound of cure. Take the time to verify the code running on your servers before disaster strikes!
Some Thoughts
I am often plagued by brief moments of clarity. Why does man obsess over what he cannot have? Why does man perpetually chase what he can never catch? Is it the never ending struggle to achieve the unattainable or is it rather the human condition that craves the constant pain and agony of disappointment? This is the question that must be, but can never be answered. This is the truest form of irony.
Is this the way the animal brain works? Always searching for what it cannot find? Can it not be said then that it is not the object for which we seek that is paramount. It is however, the journey itself. For in endeavors such as these, man can truly know himself. He can learn his limitations. He can learn how he acts in times of extreme pressure and sadness. In this self awakening, he will find his true self and therefore his path maybe shown to him.
It has been said that we only appreciate happiness because we have been sad. We can only appreciate goodness because we have known evil. If this is the case, then let us not frown upon times of heartache. Let us instead intricately examine every facet of these emotions, no matter how painful it may be, so that we may better appreciate times of brevity and happiness. Using this same logic, the person that has known the most heartache is the one that can know the most joy. Let us pray for the joyous times.
God is a God of order and balance. Both sides of the equation must equal each other. Good and bad, Yin and Yang. I have had a large amount of darkness. I am ready for the light. I have been in darkness for so long that I don't know how to enjoy the light. This is a sadness. Our world is in such turmoil and chaos that it affects every living thing. Some are more aware than others. Some are aware of the world behind the world. Sometimes I envy the ignorant.
Wednesday, October 27, 2010
Should I use Office 2011 for Mac?
Office 2010 won me back as a power user after Office 2003 stunk, Office 2007 was good but not great, and both OpenOffice and Google Apps had become quite compelling. Office 2010 was just so powerful and feature-rich that it was hard to ignore. Today’s launch of Office 2011 for the Mac brings most of this richness to an incredible growth platform, but somehow feels anticlimactic.
Don’t get me wrong. I’m happy not to have to launch a virtual machine every time I want the latest and greatest Office features on my Mac. Office 2011 is a great product like its Windows big brother. I’ve been using a press copy for a couple of weeks now and have been cranking out the PowerPoints, spreadsheets, and documents. I know that Outlook and Messenger are important to some people and have been both well-reviewed and are welcome additions. I’m a Gmail guy and tend to avoid mail clients like the plague, so these are non-issues for me, but bringing Outlook to the Mac platform was obviously a great business choice for Microsoft and one more pathway through which Macs will work their way into the enterprise.
And yet…
Even with the return of macro support and a revised interface that makes Office 2011 consistent with Office 2010, while still feeling more Mac than Windows…
Even with welcome updates that highlight just how much of an afterthought Office 2008 was…
Even with great templates and enhanced number-crunching abilities…
I just can’t get excited about Office 2011.
I know that Office remains the tool of choice for documentation, presentations, desktop data management, and communication for many businesses. I get that and I know that it isn’t going anywhere anytime soon in the corporate world. All the more power to the Mac for now being able to be seamlessly compatible with Office for Windows, both in file types and generally in user interface. And I don’t even completely disagree with a Gartner analyst who raved about the software:
“This is the best Office ever, not just on the Mac,” said Gartenberg. “It brings the Mac version to parity with the Windows version, but it still feels like Mac software, not a Windows port. Mac Office doesn’t feel like you walked into your house in the dark and someone rearranged all the furniture.”
The exclusion of OneNote, one of Office 2010’s best bits of software, as well as Microsoft’s failure to put Access on the Mac makes the “best Office version ever” assertion a bit dubious, although the interface and usability are quite good.The real question, though, aside from Mac users desperate to use their computers in corporate settings where Office remains the norm, is how many average Mac users will care that Office 2011 is just so incredibly dandy?
Mac users, after all, have a solid alternative on the cheap from Apple in their iWork software for most productivity and I’m actually finding myself more likely to produce everything from publication-ready documents to presentations in Adobe’s CS5 (and now Acrobat X) given the really powerful tools with the Creative Suite that Office simply can’t match. If what I need to do in terms of documentation or presentation can’t be handled in Google Apps, then I’m going to go whole hog and produce something really rich. Add in Adobe’s new ROME beta and there are more than enough alternatives for us stereotypical Mac creative types to just not be too fussed over Office 2011.
Aside from Adobe or Google, so much of what we (whether “we” means artsy Mac people or the world at large doesn’t really matter here) do ends up in a content management system, blog, or online somewhere makes Office 2011, no matter how good it is, just a little bit less spectacular than one might expect.
Because Office 2008 was such a weak product, and because Macs have traditionally been the tools of choice for designers and (more recently) developers, Mac users have grown accustomed to using “Not Office,” whatever that might be. Office 2011 is a boon for enterprise and business users, but won’t be the runaway hit that Office 2010 was. There just isn’t the need for it. We use Macs for a reason after all, and that reason usually isn’t to type Word documents, no matter improved the interface.
Don’t get me wrong. I’m happy not to have to launch a virtual machine every time I want the latest and greatest Office features on my Mac. Office 2011 is a great product like its Windows big brother. I’ve been using a press copy for a couple of weeks now and have been cranking out the PowerPoints, spreadsheets, and documents. I know that Outlook and Messenger are important to some people and have been both well-reviewed and are welcome additions. I’m a Gmail guy and tend to avoid mail clients like the plague, so these are non-issues for me, but bringing Outlook to the Mac platform was obviously a great business choice for Microsoft and one more pathway through which Macs will work their way into the enterprise.
And yet…
Even with the return of macro support and a revised interface that makes Office 2011 consistent with Office 2010, while still feeling more Mac than Windows…
Even with welcome updates that highlight just how much of an afterthought Office 2008 was…
Even with great templates and enhanced number-crunching abilities…
I just can’t get excited about Office 2011.
I know that Office remains the tool of choice for documentation, presentations, desktop data management, and communication for many businesses. I get that and I know that it isn’t going anywhere anytime soon in the corporate world. All the more power to the Mac for now being able to be seamlessly compatible with Office for Windows, both in file types and generally in user interface. And I don’t even completely disagree with a Gartner analyst who raved about the software:
“This is the best Office ever, not just on the Mac,” said Gartenberg. “It brings the Mac version to parity with the Windows version, but it still feels like Mac software, not a Windows port. Mac Office doesn’t feel like you walked into your house in the dark and someone rearranged all the furniture.”
The exclusion of OneNote, one of Office 2010’s best bits of software, as well as Microsoft’s failure to put Access on the Mac makes the “best Office version ever” assertion a bit dubious, although the interface and usability are quite good.The real question, though, aside from Mac users desperate to use their computers in corporate settings where Office remains the norm, is how many average Mac users will care that Office 2011 is just so incredibly dandy?
Mac users, after all, have a solid alternative on the cheap from Apple in their iWork software for most productivity and I’m actually finding myself more likely to produce everything from publication-ready documents to presentations in Adobe’s CS5 (and now Acrobat X) given the really powerful tools with the Creative Suite that Office simply can’t match. If what I need to do in terms of documentation or presentation can’t be handled in Google Apps, then I’m going to go whole hog and produce something really rich. Add in Adobe’s new ROME beta and there are more than enough alternatives for us stereotypical Mac creative types to just not be too fussed over Office 2011.
Aside from Adobe or Google, so much of what we (whether “we” means artsy Mac people or the world at large doesn’t really matter here) do ends up in a content management system, blog, or online somewhere makes Office 2011, no matter how good it is, just a little bit less spectacular than one might expect.
Because Office 2008 was such a weak product, and because Macs have traditionally been the tools of choice for designers and (more recently) developers, Mac users have grown accustomed to using “Not Office,” whatever that might be. Office 2011 is a boon for enterprise and business users, but won’t be the runaway hit that Office 2010 was. There just isn’t the need for it. We use Macs for a reason after all, and that reason usually isn’t to type Word documents, no matter improved the interface.
Thursday, October 7, 2010
Something Different
I know that most of my blogs are about techie stuff and programming techniques. However, tonight I am inclined to write about something completely different. This really isn’t going to follow any particular writing discipline and this post will pretty much just be me getting some things off my chest for my own benefit.
First, yes I admit it. I am a recovering angry youth. I wear too much black I have an inner adolescent that still wants to flip someone the bird when they make me mad or tell me what to do. I often feel like I can’t live without music. Although most people will not call what I listen to music. Its mostly dark gothic rock with some occasional jazz, classical, opera, and blues mixed in. I suppose in a nutshell I am somewhat of a goth freak. Oh well thats me and those of you who do not like it please stop reading this blog NOW!
Ok. There have been a lot of things going on in my life lately, some good, some bad, and some just dangerous! At any rate, life for me is usually just one big suck fest after the other with brief periods of happiness mixed in.
One thing am I struggling with is that people just always seem to use me. They either want me to do something for them, fix something for them, create something for them, or (and my biggest issue) think for them! Needless to say I hate doing that for the most part. There are a few people that I don’t mind helping because they deserve it and I just like them.
I often wonder if I am depressed or just crazy. I constantly listen to depressing music. Yes I listen to HIM all the time. I like the dark and hate the sunlight, I often feel overwhelmed with everything that goes on, and I have a HUGE problem trusting people. HELP!!!! So I have come up with a few thoughts about this.
There are a few basic existential realities we all confront: mortality, aloneness and meaninglessness. Most people are aware of these things. A friend dies suddenly, a coworker commits suicide or some planes fly into tall buildings-these events shake most of us up and remind us of the basic realities. We deal, we grieve, we hold our kids tighter, remind ourselves that life is short and therefore to be enjoyed, and then we move on. Persistently not being able to put the existential realities aside to live and enjoy life, engage those around us or take care of ourselves just might be a sign of depression.
We all get sad sometimes, struggle to fall asleep, lose our appetite or have a hard time focusing. Does this mean we are depressed? Not necessarily. So how do you know the difference? The answer, as with most psychological diagnoses comes down to one word: functioning. How are you sleeping and eating? Are you isolating yourself from others? Have you stopped enjoying the things you used to enjoy? Difficulty focusing and concentrating? Irritable? Tired? Lack of motivation? Do you feel hopeless? Feel excessively guilty or worthless? Experiencing some of these things may be a sign of depression.
Depression can range from mild to severe. People sometimes minimize how they are feeling by saying, “anyone would feel this way in this situation” or “it isn’t like I want to kill myself”. You don’t have to be suicidal to be depressed but is a symptom of depression. Thinking a lot about death or wanting or even planning how you might die is serious and needs immediate attention. Call a friend, a crisis center, your doctor, call 911 or even show up at an ER.
Doing those things are easier said than done for those of us that are depressed. Seeking help (for me at least) is like an admission of failure. Like I am admitting that I can’t deal with “it”. Whatever “it” is. At any rate, I hope this post lets someone know that you’re not alone and other people feel the same way you do so don’t give up.
I have some friends that I could talk to although at times I feel like I am unnecessarily bothering them. I have one friend that knows me better than anyone but our relationship has been strained recently and I don’t know how to fix it. I hope this person knows that they are very important to me and that I feel guilty because I feel the way I do (depressed).
It is hard to communicate feelings to another person, at least it is for me. This person however, has been very understanding and that is something you won’t find in many people. However, and I regret to say this, I feel that our friendship might be coming to an end and for this I am very sorry. I hope I am wrong and I suppose that only time will tell. I hope that I can find out soon. I am not sure I can live without this person.
Goodnight and I wish everyone a great day tomorrow.
Subscribe to:
Posts (Atom)