Rss Feed
Tweeter button
Facebook button
Technorati button
Reddit button
Myspace button
Linkedin button
Webonews button
Delicious button
Digg button
Flickr button
Stumbleupon button
Newsvine button

Posts tagged: security

The Software Updates Menu

By , December 20, 2016 12:35 pm

We introduced the Software Updates menu in 2012. This coincided with the introduction of automatic software updates. Various bug fixes have been applied to the software update software since then. But we’ve done nothing with the software updates menu at all. Until recently.

In response to some unusual problems a few of our customers have had we thought we could improve the experience of using the software updates function.

Problems with authentication

One customer reported that although he’d entered his login credentials, the login and download were failing. But strangely our software wasn’t prompting him for a correct set of login credentials (which is what should happen). After some investigation we found that some failures on our server were being amalgamated into one global error code sent back to the client. The global error code was then interpreted correctly according to the error code, but that response wasn’t correct with respect to the specific error on the server. We broke all the failure points on the server into discrete error codes and now handle all of these individually. This allowed the problem the customer had to come to the surface – their credentials were in fact incorrect – he’d made a typo while entering his details.

In addition to this we’ve now made changes to the email entry fields that validate only correct characters can be entered in an email address – enter any incorrect ones and the field turns red. Not enough @ characters – red, too many @ characters – red, whitespace in the user name which isn’t quoted – red, whitespace in the domain – red. Etc.


There is also the error use case where a customer enters their login details for, say, C++ Performance Validator but the tool they are using when they enter these details is C++ Memory Validator. The login details are valid, but not for this software tool. The image below shows the error message when using the Test Login Details… button.


We also added two new menu entries for resetting the user credentials and also for setting the user credentials. If the user credentials are reset, no software updates will occur. If the user credentials are set (correctly) software updates will occur.


Problems with TMP security

When a software update for one of our tools downloads it’s downloaded by default to the directory defined by the TMP environment variable. On a Windows 10 machine this most likely points somewhere like c:\users\stephen\AppData\Local\Temp.

The TMP environment variable is used by the _ttempnam() function to provide a temporary filename for use by the software that calls it. _ttempnam() uses the TMP environment variable to do it’s job. We wrote the software updater code, tested it, and didn’t really think much more about it until we recently received an email from a customer. I’m going to quote a bit of it below.

I am an IT manager for a software house that uses your Performance
Validator and Memory Validator. With the new threats from ransomware
we have locked down developers machines so files cannot be executed
under the users Appdata folders which contains the users temp folder.

He wanted to know what our filename policy was so that he could whitelist our software updater to run inside the directory that he’d locked down. _ttempnam() returns names that are different each time. There is a pattern to the names we use. I explained the rules but then suggested that providing a dedicated download directory removes the need for whitelisting and provides a better security environment. He agreed. So that’s what I’m going to discuss next.

Specifying a directory

The first thing we had to do is replace the use of _ttempnam() with a user specified directory.

The user specified directory defaults to the same location that _ttempnam() would have used. Consult the _ttempnam() documentation and follow the rules for generating the default value. This is basically using GetEnvironmentVariable() to query the TMP environment variable.

Provide a means for the user to specify the download directory.


The directory needs to exist. If the directory doesn’t exist, it should be obvious as the directory name is entered.


The directory needs to have execute privileges and write privileges. If either of these privileges does not exist for the specified directory the user should be alerted to the fact.



The Reset button allows the directory to be set to the default value.

Add an entry to the Software Updates menu to enable the user to access this dialog. Update the Startup Wizard to allow the software update directory to be specified.


We’ve also updated the software update code to handle the use cases where a valid software update directory is supplied but is then deleted, or it’s permissions altered to deny write or deny execute privileges. This also accommodates the case where nothing changes with the directory but the settings get damaged or corrupted somehow (editing the registry, a machine crash…).


We’re always trying to improve your experience with our software. Whether it’s making the use of Software Updates so easy you don’t need to talk to us about it, or improving your security environment. If you have an issue that you think will improve the software for everyone please do get in touch.


Banks are clueless on online security

By , February 14, 2011 3:21 pm

During November I met Dave Collins from Software Promotions. I saw him presenting two talks on effective Adwords marketing and common mistakes you can make and how to avoid them. Articulate, well informed. So much so that I decided to hire Dave to do some work for Software Verification.

Dave wanted to be paid using direct bank transfer. Not a problem except that I have been really reluctant to do online banking because I’m concerned that no matter what steps you take there is always the potential for something nasty to be on your machine waiting to snatch you bank details etc. Maybe a tad a paranoid I agree, but that is how I work. But let us be clear on the risk, if you get hacked for online banking that is your entire account at risk, not the same thing as if your credit card details get comprimised. Its the sort of thing that could put you out of business. Hence my paranoia.

Live CD
Anyway I decided I would do it using a Linux live CD, that way the only risk is the Linux CD or a hacked bios. Unlikely to be a dodgy Linux CD as so many people get the same image. Having your machine’s bios hacked is also one of the more unlikely circumstancs to happen to you. An alternative scheme, which Joanna Rutkowska uses is to use virtual machines with snapshots and restore the VM snapshot on a regular basis.

Online Banking
Like most people I’ve banked with the same bank for years, both personally and for business. I started with Midlands bank but after some dreadful service when I was a student I moved to National Westminster Bank and have been with them ever since (except for a short spell living in Scotland where Natwest had no presence).

Given the nature of what banks do you would expect them to take security seriously. I did.

Account Number
So imagine my surprise when I found that the online banking account number for the new online banking for the business was DD-MM-YY-xxxx, where xxxx is a random value. Further investigation turns up that xxxx is actually the count of the number of people that have the same birthday. So if xxxx is 0185 then you are the 186 person with that birthday.

So what is the problem with the above? Given that so many security systems ask you for your date of birth when you need to talk to a human I’m astonished to find the date of birth as the first 6 digits of the account number. When I asked about this the answer given by the staff member was “Only you know your date of birth.”. Yes, I’m not kidding. She was sincere in that opinion. She didn’t seem to realise that, even without the Internet, social media, etc, your date of birth is available in many places.

What on earth is wrong with account numbers that start at 0 and increment by one for each new customer? Completely arbitrary, unguessable and does not leak any information (birth date). I guess something as simple as that is too complicated.

Anyway, that is enough for me, If you can’t get something as simple as an account number right what else are you going to get wrong?


Panorama Theme by Themocracy