>Soundminer — a trojan that steals your credit card info by voice.

>Found this very impressive:

Essentially, Soundminer is a trojan that steals credit card data by listening for touch tones or audio. You can combine it with other malware to transmit the stolen information back to you. The mobile app is a proof of concept — it has to be installed and approved by the user to work (link to the paper here). However, I think that it very effectively proves that one should exercise caution with any electronic device, not just computers.

Smart devices – be they cell phones, multi-function printers, or projectors – should be considered as mini-computers; be careful what you install, and be careful what you access. Include it in your security planning, know how to react if a smart phone gets stolen or its security compromised, know what access these things have to your organization.

Security weaknesses due to smart devices are nothing new: I attended a brilliant Defcon 16 talk, Bringing Sexy Back: Breaking in with Style, during which Errata security explained how they broke into a client network by mailing an iPhone with wifi enabled to the office. At Brucon 2010, Joe McCray mentioned ‘borrowing’ the network connections of MFP’s during pen-testing exercices more that once. Our electronic devices are getting cooler and cooler – and security is the price to pay for the extra snaziness. Users be warned 🙂

>Ousting the color-coded terror warnings for a more audience-specific, detailed replacement

>In this article by AP news today, it is announced that the U.S. will be getting rid of their color-coded terror warnings. I see this as a small victory on the true ‘war on terror’ that has been plaguing us for a good ten years.

A culture of fear
Ever hear of the term ‘Culture of fear’? You have now. I highly recommend you check out the article in Wikipedia. In a nutshell, it is the (ab)use of people’s fears in order to meet your (generally political) goals. In Terry Pratchett’s A Hat Full Of Sky, a family is getting sick because their privies are right next to their drinking water. When explained that they’re getting sick from tiny animals because of the proximity of their outhouse to the water, and that they’ll feel better if they move it farther away, the family nods vigorously to the recommendation and doesn’t do anything. However, when told that water gremlins are attracted to the smell of the privies, the family takes action the same day.
Fear is a powerful tool for change. It is used in anything from parenting to politics; it’s uncomplicated, easy to spread, and drives people to relinquish even the most basic of rights. If you’re a reader of Bruce Schneier’s blog (http://www.schneier.com/), you’ve probably noted how often he touches upon this topic.
How do the color-coded terror warnings fit in?
Perfectly. They are easy to understand: Green = Safe. Red = Screwed. They require no empirical evidence. The put the fear of God in people — and to state this simple fact is laughable, therefore they are incontestable.
Myself, I’ve only seen the nation in an orangey-red state. Never seen green. Have you?
The official announcement is scheduled for later today, I believe, during which the replacement will be detailed; but it’s looking like this silly system’s going to be replaced by a more descriptive, audience-specific solution. “When agency officials think there is a threat the public should know about, they will issue an announcement and rely on news organizations and social media outlets to get the word out,” according to the article. This makes a lot more sense – instead of letting one of four colors tell you how afraid you should be, you get a page describing the threat and how you may be affected. Don’t know about you, but I’m all for that.
Fear can mobilize; but too much of it has the opposite effect. This is a small step to overcome the paralyzing fear the world has gotten itself tangled up in for the past decade, but hey: petit à petit, l’oiseau fait son nid.

>What does the frontend of an online hacker store look like? Courtesy of Boing Boing.

>I thought this post was both a frightening and yet strangely entertaining thought. It has such a ‘hollywood’ feel to it — perhaps this is why it’s so dangerous.

You’d think that this is an unsustainable business; I mean, don’t admins change their passwords at least from time to time? Don’t vulnerabilities get fixed, making it impossible to find the password in the long run?

Yeah, right. Site admins are probably as conscientious as they can be given their time and budget constraints. Also, it’s increasingly common for organizations to have ‘site admins’ that have more of an editing / web design background than a sysadmin / web dev / infosec background — an unfortunate consequence of increased outsourcing of web development and increased usability of CMS systems.

What did you expect to see on a webmaster’s CV 5-10 years ago? Fluency in HTML, CSS, and javascript, intermediate to advanced knowledge in a scripting language such as PHP perhaps, maybe some working knowledge of Flash, and definitely some experience with some web design package (like Dreamweaver) or IDE (such as Visual Studio .Net, Eclipse — or hell, even WebMatrix). The site admin was expected to liaise with the Comms team or something in order to put the content on the web, and had little to no experience in the field of editing or journalism.

Nowadays, it’s the opposite effect: with easy-to-use tools such as Drupal, Joomla, DotNetNuke, or Sharepoint, you don’t need nearly as much hard skills in order to administer and maintain a website. I’d go as far as to say that to recruit an admin with a strong technical background would only lead to the person’s frustration and eventual resignation. However, it does mean that this new generation of site administrators is less likely to exercise proper caution — reading access logs, using secure passwords, performing routine security tests and code reviews, and following security feeds in order to reduce the chances of your site getting pwned.

Okay wise-ass, I can hear you say, thanks for stating the problem — now what’s the solution?

Sadly, there is no easy solution for this. Ideally, in a small to medium organization, you want the web team to have at least one person managing the content, layout and editing of your website — let’s face it, we techies are generally allergic to such things (anyone that’s worked with me knows not to mention colors in my presence – I get hives). That person is the main ‘business’ liaison and project champion — let’s call him/her the ‘web editor’. Then, on the technical side, you’d have one web development liaison, and one sysadmin liaison. You don’t want the person that’s writing the code to review the code, or checking the logs — each person has a set of responsibilities that compliments the others. Nobody’s stuck with a laundry list of responsibilities, routine checks are more likely to be performed and, provided that there’s adequate communication between parties, one generally avoids getting listed on such sites as mentioned above.

>Restoring your content database from a full DB backup

>I’d been having some serious trouble with outgoing e-mail alerts with my Sharepoint Foundation server, so I decided to do something that I thought was somewhat reasonable: I figured I would reinstall sharepoint and restore my content database.

My server runs on a VM — no safer way to do this from an infrastructural point of view, BTW — so I took a snapshot of my system. I do this as a rule of thumb so that, if there are any cock-ups, I can completely revert to my original state before the procedure. This is where I made my first fundamental mistake. Mental note number one: ALWAYS double-check that you’ve made a snapshot of the right system; it helps if you’re not sleep-deprived.

I re-installed sharepoint and got the default content — so far so good. I then tried restoring the entire farm from my full backup. That should work, right? Wrong. For some shitty reason, you can’t restore the full farm’s state once you’ve reinstalled Sharepoint. I don’t know about you, but I think this sucks. I wanted to restore the state of my VM at that point — that’s when I realized that I’d screwed up and snapshotted the wrong machine. Nice.

I figured that, in the very least, I would want to restore the content database. I tried that right off the bat, and got an error indicating that I couldn’t attach the database to the web application. Don’t you just love those enlightening Microsoft messages? It would appear that the team just loves to think those up. Anyway. What you’re supposed to get out of that message is that Sharepoint cannot attach the content database to the site because one with the same name already exists. In other words, it refuses to overwrite the existing content database.

Thanks to this article by Sharepoint Girl, which essentially coaches you through removing the old content database and adding the new one, I was able to restore my DB. I would, however, like to point out that unless I’m very much mistaken, the article assumes that you have restored the WSS_Content DB under a different name (i.e. WSS_Content_Restore). That’s the only way I got Sharepoint to restore my DB, at least.

One final note: If you can, definitely go for a more robust, clustered installation. The standalone install is shite — doesn’t give you any control of the files, database backups or anything. Standalone is good enough for dev environments, but that’s pretty much it.

>Customizing your list’s look & feel in Sharepoint 2010

>I’ve been working on a Sharepoint 2010 intranet for a client; a real pain in the arse was setting up a feed with an image in the web part, customized ‘Add an item’ text and the ability to customize the look and feel via CSS. When you add the list as a web part to a sharepoint page, you’re unable to perform these customizations using a WYSIWYG editor or web part properties; however you can specify an XSL template. Here’s mine:

<?xml version=”1.0″?>
<xsl:stylesheet xmlns:xsl=”http://www.w3.org/1999/XSL/Transform&#8221; version=”1.0″ xmlns:ddwrt2=”urn:frontpage:internal”>
  <xsl:include href=”/_layouts/xsl/main.xsl”/> 
  <xsl:include href=”/_layouts/xsl/internal.xsl”/>
  <xsl:template match=”/” xmlns:ddwrt=”http://schemas.microsoft.com/WebParts/v2/DataView/runtime”&gt;
    <div class=”webfeed”>
      <img src=”/pages/SiteAssets/myimage.png” style=”float: right;” class=”boximage”></img>

      <xsl:for-each select=”/dsQueryResponse/Rows/Row”>
        <xsl:if test=”string-length(@Title) &gt; 0″>
          <a href=”/Lists/MyList/DispForm.aspx?ID={@ID}”>
            <xsl:value-of select=”@Title” /></a><br/><br/>

      <xsl:call-template name=”Freeform”>
        <xsl:with-param name=”AddNewText”>Add an item</xsl:with-param>
        <xsl:with-param name=”ID”>
            <xsl:when test=”List/@TemplateType=’104′”>idHomePageNewAnnouncement</xsl:when>
            <xsl:when test=”List/@TemplateType=’101′”>idHomePageNewDocument</xsl:when>
            <xsl:when test=”List/@TemplateType=’103′”>idHomePageNewLink</xsl:when>
            <xsl:when test=”List/@TemplateType=’106′”>idHomePageNewEvent</xsl:when>
            <xsl:when test=”List/@TemplateType=’119′”>idHomePageNewWikiPage</xsl:when>


Normally, I *hate* color-coding anything; but since I’ve only used a few colors, it should be pretty easy to read.

I’m not going to go through the entire thing — I think the code is pretty self-explanatory (not that you should have been able to cook this shit up in your head or anything… But once you see it in front of you, it’s pretty easy to understand what each part is). However, I’ll walk through the highlights. If there’s anything you see that you don’t understand, or isn’t clear, feel free to comment!  

A customized ‘Add’ button:

Notice that one of the first things I do is include some of sharepoint’s own XSL templates — I’ve pointed these out in red.  Then, I add the ‘call-template’ section, which is highlighted in blue, at the end of my XSL. This renders the line, the + icon, and the Add text. I’ve highlighted the text you can customize in bold — you’ll have probably noted that what the code does is call a template from sharepoint XSL’s with two parameters. The first parameter is the text you want to customize; the second is a value that is computed based on the list’s type — if it’s an announcement, it’s set to idHomePageNewAnnouncement, if it’s a document it uses idHomePageNewDocument, and so forth. I generally save my images and resources in SiteAssets. Does anybody have any counter-indications there? I found it to be useful to make sure versioning is enabled for the repo; this way, if any changes in my resources mess up the layout or anything, I can revert to a previous version.

An embedded image:
The image (purple in the code) was pretty easy; notice that in order to embed it nicely in the text, I just used float: right in the style attribute. 
Additional styling:
Let’s face it: faffing about with XSL is fun, but not very practical for a web designer. I’m particularly sucky at aesthetics, so I want to make sure that I can pass off as much of that kind of work into the right hands as possible and make it as easy as I can.
Note the presence of the DIV (in green) at the beginning of the XSL: it has a class attached to it (webfeed) so that it can be customized via CSS. Same goes for the image described above (boximage). This means that you can have a CSS file in your SiteAssets repository in which you can put in any formatting specifications for both the links of the feed and the image of the feed; note that in order to apply this CSS, you’ll have to edit the portal’s master page(s) to reference it.
The benefit of having a separate CSS file from the site theme CSS is that it can be made accessible to your team’s web designer without granting the designer any particular permissions to the sharepoint server. The CSS file will be versioned, so you can quickly revert if something gets screwed up in the layout or colors, and if the file is accidentally deleted it can be restored from the Recycle Bin (rather than permanently deleted from a NetBIOS share…)

Addendum: I’ve also been asked to modify the behavior of the link; instead of opening a new page, it’s supposed to open up Sharepoint 2010’s new modal pop-up dialog box. What at first seemed really annoying and complicated turned out to be quite easy. Substitute this line:

<a href=”/Lists/MyList/DispForm.aspx?ID={@ID}”>
            <xsl:value-of select=”@Title” /></a><br/><br/>

With these lines:

<xsl:variable name=”formLink”>/Lists/MyList/DispForm.aspx?ID=</xsl:variable>

  <xsl:attribute name=”href”>
    <xsl:value-of select=”$formLink” />
    <xsl:value-of select=”@ID” />

  <xsl:attribute name=”onClick”>
    <xsl:text>javascript:NewItem2(event, &quot;</xsl:text>
    <xsl:value-of select=”$formLink” />
    <xsl:value-of select=”@ID” />
    <xsl:text>&amp;RootFolder=&quot;);javascript:return false;</xsl:text>

    <xsl:value-of select=”@Title” /></a><br/><br/>

What does this do? First, it attributes the URL to a variable, $formLink. Then, it renders that variable in the ‘href’ attribute of the link. Finally, it calls an AJAX function of Sharepoint’s that opens up a modal dialog box and renders the content of the URL specified in $formLink. Presto! Instant Sharepoint 2010 panache.