Warning: Major Geek Content

If you’ve been working with Microsoft’s Internet Information Server (IIS), and you check out your log files on a regular basis, you’ve probably seen error messages with content similar to this:

Process Information:
Process ID: 3264
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE

Exception Information:
Exception type: System.Security.Cryptography.CryptographicException
Exception message: Padding is invalid and cannot be removed.

Request Information:
Request URL: http://www.yourdomain.com/webresource.axd?d=d8qwertyu9a7asdfghjklzxcvn1&t=123456789012345678
Request path: /webresource.axd
User host address: 255.255.255.255

I often wondered what these were about, but all I ever saw in searches on the topic mentioned incompatibility with certain browsers (especially Safari) and miscommunication between the server and the browser. Not really good answers, but enough to know it wasn’t some serious hack attempt.

That was, until a few weeks ago when we started having some major trouble with timeout errors between our web server and the SQL Server which holds the data for our sites. We went round and round trying to figure out the issue ourselves to no avail. Thankfully, we have a subscription to Microsoft’s telephone tech support, so we finally decided to punt.

I have to give Microsoft some serious props when it comes to their top level support. When you get one of these folks on the phone you are dealing with a true professional; one with a lot of knowledge, background and experience to help you work through your problem. The service isn’t cheap, but it’s good.

We worked with a networking engineer who helped us narrow down the issue. He ended up calling in one of his colleagues on the IIS support team to help us find a resolution. 45 minutes on the phone with those two guys was about a week’s worth of education.

In the end, it turned out to be some errant code we put in for error handling. Rather ironic, I have to say, that the error handling caused the errors themselves.

But, the real education was in learning about the webresource.axd and what causes these System.Security.Cryptography.CryptographicException errors.

The webresouce.axd file is generated by the system. Like the web.config, it’s not a file that someone can just “browse” to. It’s requested automatically by the browser and is a helper file to assist with using script files.

The interesting thing is that the “d” portion of the URL string is supposed to be mixed case, but in every instance where I see this type of error, all the letters are lower case, like from the completely fake example I noted above:

d=d8qwertyu9a7asdfghjklzxcvn1

It should be more along the lines of something like this:

d=d8QWErtyU9a7ASDfghJKLzxcVn1

If you go through your server logs, you can track down the requests which cause the errors, compare them to other requests for the webresource.axd file and clearly see the difference. I didn’t notice this until I looked at the logs closely trying to troubleshoot my problem.

Checking closely in the log files, I can also see where sometimes the “&” between then end of the “d” string and the “t=” is sent like “&” – which apparently also causes issues.

There you have it – a “not to technical” explanation as to why you might see this type of error message in your log files. Apparently, so long as your server is patched and set up according to best security practices, this shouldn’t cause you any problems other than possibly filling your log files with messages.

This is a “Lesson Learned” for me as well as a reminder for you who are admins for web sites running on IIS.

For years it’s been best practice that when you move web site content from one place to another, to set a permanent server-level redirect so search engines will know to remove the old addresses from their index and add the new addresses in their place. No problem, we all do this.

Over the past several years, my colleagues and I have been coding background processes of our web sites in ASP.NET. Over that time, we’ve converted many applications from Classic ASP. Some applications were outright moved as they were converted based on guidance from our Marketing Department.

In one case, we had an old press release application, written in Classic ASP, which we redid in ASP.NET and moved. Being the student of SEO, I set up a permanent server-level redirect in IIS to the application’s new address. “Done and done,” or so I thought.

Fast forward a few years and we find ourselves troubleshooting a vexing problem with one of our servers. Through the course of the investigation, we found something very interesting. Those Classic ASP pages in the folder of which the server-level redirect was set were still firing; this despite the fact that the IIS server was set to automatically and permanently redirect visitors to the new page.

We did a number tests on those pages and confirmed our findings: the underlying Classic ASP code was, indeed, running before the visitor was redirected to the new page. The redirect happened so quickly that the end user was completely unaware it was happening.

From a security standpoint, I should have known better than to leave old code on a web server. That is a classic “no no” and a possible opportunity for hackers to come and exploit your system. Thankfully, that didn’t happen.

From me to you, here is a reminder (or a tip if you’ve never heard this before): If you move web pages from one address to another set up a server-level permanent redirect on the old folder, then archive and delete the old pages from the server. This keeps your server cleaned up and gets rid of any old code which might be exploited later down the line.

photo credit: Andrew Mason

Last week I was called upon by Megan Fleetwood, a reporter with KWTX in Waco, to offer up some comments about social media security and safety. In this case it was specifically regarding the safety of kids on social sites.

Unfortunately, the story is no longer available on their web site. I’m looking for another source.

Background
This particular piece revolved around a school bus driver who thought a dog belonging to one of the students on his route had been found by one of his neighbors. The neighbor was about to take the dog to the animal shelter. Concerned for the pet’s safety, he contacted the 13-year-old female student via a Facebook message asking if the dog in question was hers. Apparently, when she didn’t respond, went to her house and knocked on the door.

The concern here is (as spoken in the story): “When is it appropriate for an adult to contact a child on the internet?” I’m sure opinions vary. In this case, the school district leadership is convinced the driver’s intentions were honorable. Still, the incident did raise a bit of concern for school district – and it should.

Kids are on social media. It’s part of their culture and embedded into their lives in a way even the most social media-savvy adults I know don’t fully comprehend. Because it’s such a part of how they interact with others, it’s essential we teach them about online safety when they are young much like my parents taught me not to talk to strangers or look both ways before crossing the street.

School Is Teaching Kids
Apparently, the school district spent some time during the course of the last year teaching kids about online safety. That is excellent. Although I believe parents should be ultimately responsible for monitoring their kids’ online activities, it is an excellent idea for schools to help by offering some instruction. This may offer the chance for the kids themselves to look out for each other and help each other succeed in keeping not only their personal information, but their persons safe.

Social Media Policies for Employers
From what I gather of the superintendent’s comments, the school district does not have a social media policy for its employees. I firmly believe all organizations should have a social media policy, and this goes double for schools. I don’t think social media policies for school need to be draconian to the degree that social media contact between school personnel and students are cut off totally. There are some excellent and legitimate uses for social media contact, especially between students and teachers. However, there should be some guidelines to help prevent a situation like the one in this story; to help keep “honest people honest.”

Social media can be a great tool to help schools communicate. For example, I have a friend whose highschoolers are involved in Theatre Arts. The teachers have a Twitter account which they use to let parents know what’s going on when students are on field trips and traveling to competitions. Certainly a Facebook fan page for a teacher’s class would be of great help with communication of lessons and such between the teacher and students and parents. I know many teachers who use email lists for this type of communication – perhaps it would be more efficient to post message to social media sites.

Some Points to Ponder
During the interview I did with Megan we discussed a number of points about how to help kids make good decisions when it comes to their social media activities. Here are a few:

• It is mainly the responsibility of parents to teach their kids how to be safe online. Some parents are overwhelmed by this because they don’t understand social. If this is the case with you, concentrate on the basics like, “Don’t talk to Strangers,” “Treat others as you want to be treated,” “Don’t spread gossip.” Teach them not to share their personal information such as address, phone number, pictures, etc. with those not personally known to them.
• Foster a relationship with your kids that encourages them to let you know when something untoward happens. Often times communication between parents and kids is the best tool to keep them safe. Of course, when they become teens and think they know everything this gets tougher, so you have to start early.
• Anyone can figure out how to send a message to anyone else. That’s how spam works. Getting emails from strangers is nothing new. Teach your kids to ignore and delete messages from people they don’t know.
• It’s not a bad idea to put the family computer in the living room with the T.V. and other entertainment items. This way, you parents can keep an eye on what the kids are doing online.
• Check your kids’ social media accounts from time to time. Not only should you check the security/privacy settings on their accounts, you should check to see who they are interacting with and how they interact. Cyberbullying and such can be cut off if parents are involved in monitoring their kids’ online activities. You kids may complain about you “invading their privacy” but in the end they will appreciate that you care.
• If you are technically savvy enough, you can install various filters and limit your kids’ time online. This way you can help prevent them from Facebook-ing or MySpace-ing at all hours of the night.
• Kids need to understand that online is pretty much “forever.” Once something is posted and indexed by search engines it’s nearly impossible to get rid of and it can pop back up during searches for who knows how long. Younger kids talking smack and older kids posting pictures of themselves acting the fool at parties may be all fun now, but they can come back to haunt them later. Though this point probably applies more to older kids and young adults who may be soon entering the workforce, it’s important that kids learn early on about the basics of online reputation management.

Please check out the tips I gave in my last TV interview in my article “Social Media Safety & Security.”

How about you? What tips do you have regarding keeping kids safe online? Please feel free to share them in the comments.

There has been a lot of mention about the risk copiers can pose to personal information security of late. Indeed, it’s been covered in the traditional media as well as in many blogs.

Bill Detweiler of TechRepublic mentions a poll he conducted last month in response to a CBS piece which covered this subject showing many don’t bother wiping information from the hard disks of multifunction copying devices which have them. Bill also refers to an article he wrote back in 2007 which mentioned the security problems with digital copiers.

This problem, however, goes back further than even 2007. I remember working tech support in the late ’90s when we had some digital multi-function copier/fax/printer devices which operated on a system based on Microsoft Windows NT 4 running Internet Information Server (IIS). We didn’t realize they were based in NT 4 with IIS until an internal security scan revealed them as such. We assumed, up to that point, they would have been Linux-based or working on some proprietary system. These devices had no interface to the internal operating system and could not be patched – even by the manufacturer (or so we were told). That made them vulnerable to cracking. Remember the “Code Red” worm? Needless to say, those devices were replaced as quickly as practical.

To maintain good information security, it’s best to treat all systems with any kind of memory whatsoever with care when replacing. If the device has any type of memory, whether hard disk, RAM or flash, it needs to be wiped before disposal. When in doubt, wipe it out. If it cannot be wiped, it needs to be destroyed or turned over to a reputable service which will certify its destruction.

Treat the devices as you would a piece of paper which has sensitive information printed on it. You’d shred the paper, so you must do the electronic equivalent with documents stored in electronic devices.

photo credit: vvvracer

Many people glaze over when the subject of passwords comes up. I think it’s because us IT folks tend to make things seem a lot more complicated than need be. Here are 4 easy steps to help you create better passwords to protect your personal information: