Turnout for the February UG meeting was excellent and eye-opening at the same time. We had approximately 80 people in attendance once everyone managed to show up. Of the 80 people in attendance, nearly half of them were at their very first User Group meeting. I think that’s excellent! We seem to be doing a good job at getting the word out. Now it’s time to build up some dedication.
Shawn Wildermuth, Atlanta’s own ADO.Net MVP, whipped up a data driven Windows Smartphone application for the group. A demo in the truest sense (complete with gremlins preventing the demo from working at the last moment), Shawn wanted to show the group differences between traditional PC development and Smartphone development. The main difference Shawn hammered were the differences in data entry. A smartphone only has 12 buttons and no mouse. This really forces you to think about your application’s data input methodology very differently. Despite the demo problems, Shawn was gracefully able to continue his presentation and teach the group how to link a web service to his cellphone.
Dennis Hurst from SPI Dynamics (SPI like spy – they’re hackers) came to the group to tell us how a hacker breaks into a web application to steal your valuable data. Dennis explained to the group that hackers generally attack applications on one of three layers:
- network (HTTP and HTTPS attacks). An important note here is that while SSL DOES guarantee that the data is encrypted and that it is coming from a valid server. What SSL does NOT do is validate the data inside the SSL pipe.
- transport (messing with the HTML requests). This is where the cross-site scripting attackers steal your HTTP cookies and pretend to be you. This points out how critical your session cookies are. If one is hijacked, the hijacker can pretend to be you. *note – to destroy a cookie (and be sure it’s gone) overwrite it with a blank.
- web application attacks actually come in three layers.
- platform – known vulnerabilities that can be easily exploited
- administration – have you configured the server correctly, are you giving out too much information in your logs and statistics, remnant files
- application vulnerabilities – how do you deal with input from users (ex – sql injection with a neat SQL Injector tool)
Dennis introduced us to Google hacking – the practice of using Google to find systems that are vulnerable. Cross-site scripting is an example of how phishing attackers steal your account information by fooling you into thinking that you are entering data into a valid site while sending the cookie to another site. Finally Dennis looked at Session hijacking – where a website thinks that the hacker is someone that they are not. This is not where the cookie is stolen, but rather when a repeatable session identifier is used and is changeable. Several real life examples of live sites that got this wrong (Guess.com and Victoria Secrets.com both got sued by the FTC for security flaws).
Dennis was a great speaker with very engaging demos. Look at the SPI Dynamics site for freely downloadable white papers. Search Microsoft’s site to find some webcasts he has done.
Announcements:
Check the calendar for upcoming user group announcements
March 24th – Geek Dinner!
May 14th – Atlanta Code Camp
May 18th – David Chappell is coming to town for an Indigo Roadshow. Plan to be there, this will be something you don’t want to miss.
— Matt Ranlett