Wireless Router Security Threat

Posted on by
Reply

The security company Sophos has blogged about a potential threat to most small business and domestic router owners.

WPS enabled routers sometimes have a PIN to enable quick setup of new clients, the PIN is presented to the router which sends back the full security details enabling the connection to be set up.

This presents a issue as the PIN is both shorter and less complex than most keys- only eight characters long and only containing numeric characters. To make matters worse Sophos report that the last character is only a checksum, meaning only seven characters form the actual code – leaving 10,000,000 (10^7) possible combinations.

Sophos further state that “the first half and second half [of the code] are sent separately and the protocol will confirm if only one half is correct.”  This reduces the number of possible combinations for the first half to 10,000 (10^4) and for the second half to just 1000 (10^3), meaning only 11,000 combinations need to be tested for the entire PIN.

This is 109 orders of magnitude lower than the 83,306,029,999,439,500, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000 possible combinations needed to crack a 63-character letters and numbers key itself – adding symbols would make the key harder still to crack.

I have a Netgear N300 router and this includes the WPS PIN function in addition to a push button, but fortunately this can be disabled from the control panel. Log on the the router manager and click on “Wireless Settings” under the “Advanced” title on the left menu.

This will give you the option to “Disable Router’s PIN”, check the box and then click on “Apply”. This may restart your wireless (active connections will be interrupted) and should prevent this vulnerability from being exploited on this router model.

N300 Router Manager Screenshot

For other routers you should check the manual or manufacturers website on how to disable either the PIN, WPS completely if this isn’t available, or if a firmware update is available to prevent or slow down a brute force attack.

The original article detailing the weakness was blogged here.

Are today’s pages really 33% larger than December 2010?

Posted on by
Reply

The BBC has this week published an article claiming that web pages are, on average, 33% larger than measured in December 2010.

The article cites data on web trends by the HTTP archive showing apparent growth in HTML, CSS, JavaScript and (perhaps most notably) image sizes.

Whilst I have no problem with the statement that the data “showed that average webpage sizes were trending steadily upward throughout 2011″ the article goes on to state that sizes “jumped sharply in October”.

Looking at the graphs this does indeed appear to be the case, with a extremely large increase in overall page size from 830KB in October 2011 to 929KB in November.

So why a nearly 12% increase in just one month? Did designers make a collective decision to use more and higher resolution images? Did developers all suddenly upgrade existing websites to HTML5 and CSS3 – adding new semantic elements and previously unavailable styling rules? Is the November release of the wildly popular jQuery library causing JavaScript to weigh in more heavily on the scales?

The truth of course is that all of the above* are happening as small parts of wider and more complex changes to web technologies and techniques, but at a much less dramatic pace than the charts would at first glance suggest.

Crucial to understanding this massive jump is the very first chart on the page, which shows the number of URLs the data is drawn from increasing more than threefold from around 17000 URLs to 53579. This sudden increase in the URLs data is collected from can by explained by visiting the FAQ page which states “Starting in November 2011, the list of URLs is based solely on the Alexa Top 1,000,000 Sites”, in place of a union of smaller lists for the earlier data period.

Comparing different time periods from different datasets will not, as any statistics student will tell you, produce a meaningful outcome. The 239KB (32.92%) increase in page weight over the year that was quoted by the BBC is unreliable as it compares averages taken from different groups of pages.

If we instead compare the “intersection” data, the “set of URLs that were measured in every run”, we see more modest rises of 142KB (22.29%) in average page size.

I do not for a moment dispute the warnings of the need to optimize loading times and manage resource sizes carefully- especially with rapid growth in mobile browsing, but it is important that conclusions are reached and decisions are based on solid data, and that just doesn’t seem to have happened here.

*In general I’d expect CSS3 rules to add less page weight overall than the image hacks they often replace

CSS validator link and CSS3 profile

Posted on by

Many web authors I know will use the W3C validators to prove that they have taken the time to ensure their sites comply with the W3C standards – and will often put links on their sites themselves to demonstrate this both to clients and visitors.

For some it can be an important part of proving compliance with legislation relating to disability access- using standards based CSS styles and layout on your HTML content can help screenreaders make sense of content compared to legacy tables and frames based methods.

Those developers who have been experimenting with the more benign new properties added in CSS3 like border-radius may have noticed that the standard CSS validator link-

http://jigsaw.w3.org/css-validator/check/referer

Defaults to the W3C recommended CSS 2.1 and pages will fail validation where CSS3 properties are used.

When manually validating pages you can select the “profile” used under “More options” but it is neither practical nor desirable to tell your users to go back and validate the site again using this method.

Thankfully the W3C validator includes documented parameters you can add to the request URL which includes an option to select the profile you would like to validate the site against.

Changing our validator link to-

http://jigsaw.w3.org/css-validator/check?uri=referer&profile=css3

The referred site will automatically be validated against the CSS3 profile and new properties will not throw up an error when used (except non-standard vendor specific ones prefixed by -moz or -webkit).

This means that there is no reason for developers not to use CSS3 properties for non-functional styling in those browsers that support it, even where you either need or want to show a validator link for your styling.

CSS Friendly and Visual Studio 2010

Posted on by

I spent a considerable amount of time trying to work out why I was able to correctly view treeview controls using the excellent CSS Friendly Control Adapters whilst working locally in Visual Studio 2010, only to find the same project when uploaded reverted to using nested tables in the markup.

The CSSFriendly.dll file was in the bin, the CssFriendlyAdapters.browser file was correctly present in the App_Browsers directory, but still it refused to render using UL and LI controls. Run the project locally and all was correct.

I tried publishing using VS 2010 in case Filezilla was corrupting the file or incorrectly setting permissions, setting transfer mode to binary from auto, changing the directory to the root of the hosting as alluded to on a FAQ published on the host about bin folder locations, removing references to external scripts…… nothing would work.

Thankfully I am nothing if not stubborn and stumbled across a post on stackoverflow which suggested a bug in Visual Studio 2010. On checking in /bin there was indeed a App_Browser.dll file (which I have never seen using this control adapter before) and deleting it immediately resulted in correct behaviour.

I don’t want to claim credit for this discovery, I am eternally grateful to the author, simply to ensure there are as many references to the problem available as possible to ensure other users don’t waste the time I have on the problem.

Hiding specific sitemap nodes in a treeview

Posted on by

Background: I am currently working on a project that has a forked workflow, users will be working on one of a number of streams and due to the requirements of the tasks involved will not be able to move back and forth between these streams.

For this reason and to improve usability we wanted to hide specific site map nodes from the main TreeView menu and have these displayed in a seperate colour coded TreeView menu which would appear and disappear based on the current workflow. i.e. Pages with functions specific to any given workflow would only appear once the user had started that workflow (nb. with this approach it is still important to have error handling on each page should the user session not contain expected data for that control/page on load, and either alert the user or direct the user back to the appropriate point in the workflow as users directly type the URL, use back/forward buttons or browser history- simply hiding the link is not enough).

We set up individual workflow TreeView menus with seperate sitemap files containing only those pages and nested from the main sitemap so we could-

  • Provide a full sitemap on the custom 404 page
  • Use a SiteMapPath to show a breadcrumb

The structure of the sitemaps is therefore-

Web.sitemap
-Workflow1.sitemap
-Workflow2.sitemap

Sitemaps can be nested from the primary sitemap by using the following syntax-

<siteMapNode siteMapFile="Workflow1.sitemap" />

The nesting allows the SiteMapPath to see your individual workflow pages, but also makes these visible to a asp:TreeView control using the primary/default sitemap.

To deal with this I borrowed heavily from a ASP.net site forum thread, which gave me the bulk of the solution- only a small tweak to the code was required to remove the nodes.

In the sitemap files I added a attribute “visible=false” to those pages I did not want to appear on the main menu. The syntax for this is-

<siteMapNode url="~/Workflow1/Page.aspx" title="Page Title" description="Page Description" visible="false" />

I then added a “OnTreeNodeDataBound” event handler to the asp:TreeView control. The syntax for this is-

<asp:TreeView DataSourceID="SiteMapDataSource1" ExpandDepth="0" ID="TreeView1" OnTreeNodeDataBound="TreeView1_TreeNodeDataBound" runat="server"></asp:TreeView>

In the code behind find (Page.aspx.cs) I added the code-

protected void TreeView1_TreeNodeDataBound(object sender, TreeNodeEventArgs e)
{
SiteMapNode node = e.Node.DataItem as SiteMapNode;

// Check for the visible attribute and if false remove the node from the parent
// this allows nodes to appear in the SiteMapPath but not show on the menu
if (!string.IsNullOrEmpty(node["visible"]))
{
bool isVisible = false;
if (bool.TryParse(node["visible"], out isVisible))
{
if (!isVisible)
{
TreeView1.Nodes.Remove(e.Node);
}
}
}
}

This is almost identical to the previously linked thread and credit must go to Dave Sussman for this, but in order to get it to work without the “Object reference not set to an instance of an object” error cited by banksidepoet I had to change the line-

e.Node.Parent.ChildNodes.Remove(e.Node);

To read-

TreeView1.Nodes.Remove(e.Node);

This hides the unwanted nodes from the main menu, allowing us to set up additional asp:TreeView controls with a corresponding asp:SiteMapDataSource. In order to allow this to point the SiteMapDataSource to a different sitemap we need to add providers to the Web.config-

<siteMap defaultProvider="FullSiteMapProvider">
<providers>
<add name="FullSiteMapProvider" siteMapFile="Web.sitemap" type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="Workflow1SiteMapProvider" siteMapFile="Workflow1.sitemap" type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="Workflow2SiteMapProvider" siteMapFile="Workflow2.sitemap" type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</siteMap>

The SiteMapDataSource control can then have the SiteMapProvider attribute set to tell it to use the seperate .sitemap file containing that subset of pages-

<asp:SiteMapDataSource ID="Workflow1SiteMapDataSource" ShowStartingNode="false" SiteMapProvider="Workflow1SiteMapProvider" runat="server" />

This then needs to be set as the DataSourceID of the TreeView itself-

<asp:TreeView DataSourceID="Workflow1SiteMapDataSource" ID="Workflow1TreeView" runat="server" >
</asp:TreeView>

Lastly, with each of the nested sitemap files (as all sitemaps require a single root siteMapNode) I used the format-

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode title="Workflow 1" visible="false">
<siteMapNode url="~/Workflow1/Page1.aspx" title="Page 1 title" description="Page 1 description" visible="true" />
<siteMapNode url="~/Workflow1/Page2.aspx" title="Page 2 title" description="Page 2 description" visible="true" />

<siteMapNode url="~/Workflow1/Page3.aspx" title="Page 3 title" description="Page 3 description" visible="true" />
</siteMapNode>
</siteMap>

You’ll note there is no URL or description set for the parent node, it is not displayed in our treeview menus because we have set ShowStartingNode=”false” in our SiteMapDataSource but the title is displayed in the breadcrumb. Thus we would see-

Site > Workflow 1 > Page 1 title

Generated by the SiteMapPath control.

I hope this helps save someone time and research.

Publisher cannot open the file

Posted on by

When attempting to create a custom border in Microsoft Publisher XP/2002/2003, limited users get the error message “Publisher cannot open the file” when saving the border.

This does not apply to administrative users.

The error message is in fact deceptive as it is a write and not a read permissions error. Limited users do not have write permissions to the :\\Program Files\\Microsoft Office\\Office 1x\\1033\\PUBBRD directory.

Simply change these permissions to give local users modify permission on the directory and limited users will be able to create custom borders.

(Please note that x will vary with the version of office you have installed and that Office 12 may appear when the Office 2007 compatability pack is installed, you should change the directory permissions within the Office 11 folder).

OWA fails to load at weekends

Posted on by

This isn”t a problem I”ve seen documented anywhere else, and may be specific to our environment, but is one I wanted to document for future reference by anyone who may be experiencing similar problems.

Users attempting to read e-mail using Outlook Web Access at weekends were greeted with an incomplete page, entirely without graphics, and were unable to properly read e-mail.

Having previously installed PRTG Network Monitor I set up notifications outside of working hours and included HTTP sensors for each of our primary servers. These simply attempt to connect to IIS on port 80 and report back if unsuccessful.

We had noticed alerts reading “HTTP/1.1 401 Unauthorized” starting on Saturday and then disappearing on Monday morning. Looking in more detail at the time stamps of these alerts revealed that the “up” state for the sensor was being reached few minutes after midnight on the Monday. As PRTG was set to scan every ten minutes it became apparent that the problem had disappeared on the very first scan after midnight.

This led me to investigate the built in accounts used by IIS in order to serve content. These are usually found in the users OU of Active Directory and in the format-

IUSR_ “Built-in account for anonymous access to Internet Information Services”
IWAM_ “Built-in account for Internet Information Services to start out of process applications”

For each of the servers that were reporting “HTTP/1.1 401 Unauthorized” these accounts Login Hours were set to deny login at midnight on Friday and permit it again from midnight Sunday.

Adjusting these Login Hours in Active Directory to permit login for the entire week immediately resolved the issue (no services need to be restarted).

Defragmenting your hard drive

Posted on by

Computers use file systems to organise the data held on a hard drive. The theory behind these systems is not unlike those used in filing cabinets in offices and is it perhaps useful to think of the hard drive in your computer as a filing cabinet in a busy office.

Like the filing cabinet, our hard drives rarely remain the same for long. Software is frequently installed or removed, and files are almost constantly saved, deleted or modified . Sometimes the user initiates this change (saving or deleting a Word file for example), other times changes are made to system files in the background- without the user ever becoming aware.

Unlike a physical filing cabinet, where labelling and grouping of files is important to enable them to be found efficiently, files are written to the first available area of free space on the disk. Sometimes this area of free space is smaller than the file to be written and the file has to be split. Any file that is stored on two or more areas of the disk in this way is said to be fragmented.

As a disk becomes more full, like a filing cabinet, areas of free space become smaller- increasing the chances of fragmentation.

The problem is compounded as disks are not typically re-organised when files are deleted, leaving many small areas of free space. Imagine a filing cabinet where files are removed without the remaining files being pushed together- leaving gaps between files.

Defragmentation is the process of re-organising the disk, moving files around the disk to bring the fragments of files together and create larger continuous areas of free space, reducing future fragmentation.

This can have significant performance benefits as file access time is reduced, causing programs to load faster and the system as a whole to become more responsive.

Windows includes a simple utility to defragment your hard drive. This utility is not able to defragment or move files in use, such as those used by Windows, so some power users prefer to buy commercial utilities that boot from external storage such as a CD or DVD and are able to defragment a hard drive in full. Despite this the ultility is entirely adequate for the majority of users and can make a significant difference to the performance of your computer.

To defragment your Hard Drive in Windows XP

  1. Open “My Computer” from the Start Menu or Desktop as appropriate.
  2. Select a Hard Disk Drive you wish to defragment and right click on it, selecting “Properties” from the context menu (figure 1).

    3. Figure 1: Hard Drive Context Menu

  3. Click on the “Tools” tab on the Local Disk Properties screen. (figures 2 below)

    4. Figure 2: Local Disk Properties General Tab

  4. Click on the “Defragment Now…” button (figure 3 below)

    5. Figure 3: Local Disk Properties Tools Tab

  5. In the “Disk Defragmenter” window select the volume (disk) you wish to defragment and click on the “Analyze” button (figure 4).

    6. Figure 4: Disk Defragmenter

  6. Analysis may take some time, to complete- especially on large or full drives, or where defragmentation has not recently been completed. After the Disk Defragmenter tool has analyzed the drive it will present you with a summary stating either “You should defragment this volume” or “You do not need to defragment this volume” (figure 5)

    7. Figure 5: You should defragment this volume

  7. Click on the “Defragment” button to begin defragmentation of the volume. Defragmentation may take several hours to complete, especially with large or full drives or where defragmentation has not been completed for some time. Some users choose to leave a drive defragmenting overnight. Alternatively you can defragment a drive in the background while you work, although frequent file access and/or changes will reduce the effectiveness of the defragmentation. Defragmentation can safely be paused or stopped at any time during the process by clicking on the relevant button on the Disk Defragmenter screen.

    8. Figure 6: Defragmenting

Nb At least 15% free space is required on the disk you wish to defragment

Defragmenting a Drive in Windows Vista

Creating a Desktop Shortcut

Posted on by

In order to access some documents or programs more quickly it is often useful to create a desktop shortcut, allowing immediate access to the file without having to find your way through folders to the location where it is stored.

This short blog post will provide a simple walk through, helping you create shortcuts quickly and easily to optimise your work.

Method 1: From the desktop

  1. Right click on an area of the desktop where there is not already a shortcut
  2. Select New from the context menu (figure 1)

    3. Figure 1: Desktop Context Menu

  3. Select Shortcut from that list
  4. The Create Shortcut Wizard then launches (figure 2).
  5. Click on the “Browse…” button

    6. Figure 2: Create Shortcut Wizard

  6. Navigate to the folder where your file is stored, select it and click “Ok” (figure 3)

    7. Figure 3: Select the file

  7. Click “Next” on the Create Shortcut Wizard screen (figure 4)

    8. Figure 4: Click Next on Create Shortcut Wizard Screen\r

  8. If you want to chose a different name for your shortcut, type it in the “Type a name for this shortcut now” box now (figure 5). Otherwise leave it as the file name.

    9. Figure 5: Name your shortcut

  9. Click on the Finish button
  10. A shortcut to your file will have been created on the desktop (figure 6). Click on the shortcut to open the file.

    11. Figure 6: The finished shortcut

In the next blog post we”ll look at how you can create a shortcut from the file itself.

Removing disconnected network printers

Posted on by

WarningWarning: Modifying the registry can result in unexpected and undesirable changes to your operating system. Always ensure you have taken a full backup of your current registry configuration prior to making any changes, and that you are able to restore this in the event of problems. Inexperienced users should not attempt to modify the registry without assistance.

Following a share name or server change you are unable to delete network printers with the following error message-

“Printer cannot be removed. Either the printer name was typed incorrectly, or the specified printer has lost its connection to the server. For more information, click Help”

To resolve this-

1.Stop the spooler service (net stop spooler or services.msc)

2. Click on the Start Menu and select “Run”

3.Type “Regedit” into the dialogue box and click “Ok” or press “Enter”

4.Navigate to the following key-

HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Print \\ Providers \\ LanMan Print Services \\ Servers

5. Delete the server (in the case of a server change) or the printer (in the case of a share name change).

6. Restart the computer and the printer should have disappeared from “Printers and Faxes”.

If necessary the driver can then be removed within “Printers and Faxes” by clicking on “File” > “Server Properties”, selecting the “Drivers” tab and clicking the “Remove” button with the driver selected.