Friday, October 25, 2013

AWS: Cache Me If You Can! Getting Started with Elasticache.

Here are the presentation slides from our monthly Charlotte Cloud Computing Meetup and AWS Charlotte Meetup meeting.

Application cache has the potential to tremendously speed up your response times. Putting a cache infrastructure together on the other hand may not be for the faint of heart. 
In this meetup we will investigate the use of Amazon ElastiCache. Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory cache in the cloud.


Friday, June 28, 2013

AWS: Amazon CloudSearch -- Find This!

Since we experienced some issues with this month’s meetup I am publishing the presentation slides here.
We may be able to run through this at a different time again.

From our meetup description:

So you have used SOLR and think that is the only way to go for anything search related. But, (isn't there always a but?) you are tired of maintaining infrastructure or attempting to scale this thing. 
Well time to look at alternatives specifically made for the cloud. 
In this meetup we will look at AWS search, which is based on A9 search technology acquired by Amazon. It does all the dirty work for you so you can focus on your facets ;o) 
We will discuss the good and the bad while attempting to use examples and build a search domain.


Thursday, April 4, 2013

CF: Railo: Using VisualVM tool to monitor running Railo servers

I had written a Adobe ColdFusion specific article on how to use the free VisualVM tool to get insight into the workings of the Java Virtual Machine. I have since been asked to provide similar guide for Railo CFML engine.

The good news is that the implementation is very similar and mostly follows the same path. I will demonstrate this using Windows OS example. I assume in this example that you have used the standard Railo installer for windows.

If so, here are some simple steps to use this great tool set working with Railo.

1) download java jdk also referred to as Java SE Development Kit. You can use 1.6.38 or later or 1.7.13 or later.  Again, Important to get the JDK not the JRE.

2) Download Visual VM:

3) Configure Railo jmx access:
On Windows, best way is to go to Tomcat Service Control, open the Java panel and add the following to the Java Options text box: (you can change the ports etc. this is is my sample):

You can decide whether to use ssl or not, and also on the port to use. If you want to use jmx authentication I would recommend you read:

You will need to restart your server after you have completed your changes.

4) Configure your Visual vm start up to point to your jdk if you have not set environmental variables:
e.g. on Windows
if you extracted the visualvm files into C:\visualvm135
Your JDK is located in C:\Java\jdk1.7.0_13
then you can use the following command line:

C:\Java\visualvm_135\bin\visualvm.exe --jdkhome "C:\Java\jdk1.7.0_13"

You can also add a batch file shortcut for reuse, e.g.

5) Start up the VisualVM tool (it may have to go through calibration first, simply acknowledge), then, and establish a connection a JMX connection by right clicking on the local node and choosing "Add JMX Connection..."

6) Add connection parameters:
If the server is local you can use: localhost:[port] in our case: localhost:8701

Now you should be able to monitor basic statistics of your Railo environment as it runs, and do some nifty things like forcing garbage collection and dump heap files for later analysis.


Monday, February 11, 2013

CF: cfObjective() 2013... talk is cheap (relatively ;o)

I decided to submit my slew of topics to this year's cfObjective conference. I had many things that I wanted to investigate or thought were worth sharing... never can pick really...
Fortunately for me the selection committee picked two of my submissions and, thus, if you time it right and have no better place to be, come join me at cfObjective in Minneapolis to dig into the mobile development realm ...

"Hey Bilal, come to the point", you say. "What are you going to yak about, since I am biZy! With a capital Z".
Well,  ok, here are the things I am going to talk about:

Design MVC Mobile App Visually In Hours

HTML5 / CSS3 / JavaScript Mobile Apps are becoming more popular. Unfortunately, the tools that we use to design them have not changed much. This talk is centered on using more advanced design tool such as Sencha Architect 2 to visually create front-end MVC mobile prototypes quickly in WYSIWYG fashion. We will step through the elements and create our own app and discuss native deployment options as well.
We will learn how to navigate the common UI of Sencha Architect, how to start and structure an Architect project, how to create a common mobile app with navigation pattern , how to link components, how to bind data, how to deploy generated code in your project, the difference in prototyping levels and the fit of rapid prototyping tools such as Architect, and we are going to have fun creating a real working mobile app.

Mobile but Secure

HTML5 CSS3 applications are becoming increasingly popular for mobile platforms. An assortment of applications makes use of the mobile devices to run, but when it comes to mobile security it is a wild west, the next frontier. What can you do to create mobile or web apps with a more solid security stance and prevent your mobile software from becoming another way to hack into your servers, your customers’ data? If you don't want to be in the news as the next mobile app whose weakness a hacker group used to get sensitive data you should familiarize yourself with the mobile security tips and tricks.
We will take a look at the mobile security top ten and discuss the juiciest elements such as   Insecure Data Storage, Weak Server Side Controls, Insufficient Transport Layer Protection, Client Side Injection, Poor Authorization and Authentication and ways and how to mediate them effectively.

So there you have it.
Hope to see you at the Mall of America in May !


Saturday, January 5, 2013

CF: Scheduled Task Security venerability in Adobe CF

Getting hit by a security vulnerability is no fun. This new one using CFIDE scheduling ( seems to have impacted quite a few users.
This all happened around Christmas and went downhill from there most likely automatic network scanning of availability of a certain URL path followed by automated attack.

Charlie Arehart has several blog post on this topic so I am not going to expand too much:

The old adage to lock down your server still holds but is no solace to the people that got hit since it would impact a fully patched server.
The short of this is to disable access to certain CFIDE paths. This may be the practice that you already follow, then kudos!, more importantly, get the word out to other users. Let your friends know so they don't fly blind.

Overall I am surprised by this vulnerability since it seems to originate from a vector that, in my mind, should require authentication or at least some sort of access control. Seemingly the scheduling of tasks is vulnerable and wide open by default. Initial thought on this: Crap!
Maybe, as a community, we should vet more closely the out of the box CFML code that is being deployed. The secure stance always has been to not deploy any example and docs on production, however, this is part of the system would be required to administer it.

Couple of things that I would like to delve deeper into:

a) Detecting Code Compromise:
In the last talk that I had presented around application security I had shown an example that can be easily implemented and allows users to detect any code change on the machine.
The idea is to generate an application signature that, then, can be verified to see whether the application is still consistent with what you published.
This is a simple version, you may expand and adjust. This will help you detect whether you have been compromised.
You can do this against the CFIDE, Customtag, and/or any other directory you store code in. You can create separate signatures (i.e. modules) or combined ones.

The goal is to quickly be able to tell whether you were hit by a zero-day vulnerability or anything else made its way onto your server that you did not expect.

It involves two general steps:

First run a recursive cfdirectory on your website/app and, second, create a hash from it.
Something like this:

<cfdirectory action="LIST" directory="c:\inetpub\wwwroot" 
  name="myAppFiles" filter="*.cf*" recurse="Yes">

<!--- build md5 hash  --->
<cfset myAppSig = Hash(SerializeJSON(myAppFiles),"MD5","us-ascii")>

Then compare the generated application signature against a last known good one. This can be done on App start, or a scheduled basis, even add hock if you app is small.

Here is the similar sample that stops application execution if compromised if you include it in your OnApplicationStart function:

<cffunction name="OnApplicationStart">
 This assumes that you have a database with a
 table named "appcheck" that has at least two fields
 id =    auto number/indexed
 value = text (20)
 The first time the app starts, the valid
 application signature will be determined.
 There after the application will abort if 
 the signature does not match.
 To publish new code.
 Clear the appcheck table or insert 
 the new valid signature as last row. 
 <cfquery name="selCheck">
  SELECT value
  FROM appcheck
  WHERE id = (SELECT Max(ID) FROM AppCheck) OR id=0
 <!--- determine app check crossum --->
 <cfdirectory name="selAppFiles" action="list" filter="*.cf*" 
  directory="#getComponentPath()#" recurse="Yes">
 <cfset strJson = SerializeJSOn(selAppFiles)>
 <cfset md5Hash = Hash(strJson,"MD5","us-ascii")>
 <cfif selCheck.RecordCount>
  <!--- application compromise check. 
        We could email someone automatically, 
        raise alarms, call the cops --->
  <cfif md5Hash neq selCheck.value>
   Application compromised.<br/>
   #md5Hash# -- #selCheck.value#

 <cfquery name="insCheck">
  (VALUE) VALUES ('#md5Hash#')

b) Preventing people from using the vulnerability:
Charlie and other have done a good job of summarizing the source and ways you can prevent the exploit. It all seems to boil down to not let users hit certain CFIDE paths:

  • /CFIDE/administrator
  • /CFIDE/adminapi
  • /CFIDE/componentutils

The bad thing is that using IIS/Apache facilities to lock out call URLs may not be good enough. There is the question of virtual paths and ColdFusion built in webservers that can bypass your effort. In addition, the normal Adobe CF connection between IIS and CF is using a wildcard based handling of all request. That means all requests to your website are first routed to CF/connector, even, if you ask for an image. If you know me you know I am biased, but obviously this blows big time, since it causes unnecessary processing on IIS and CF. Try to pause or stop CF and call a static HTML page on IIS or Apache, you will wait for a while. Enough of the ranting! In short, please test your lockout configs after you make changes to make sure that everything is locked out as it should be.

If you are using ColdFusion 10 on IIS you also have the option to deploy my BonCode connector. It does not block static page access, or hinder non CF processing. Since its first version it had the ability to block access to administration pages; you will not be able to bypass this even if you have the built in CF webserver running (yes, you can still hit the built in webserver if you bypass IIS altogether but that would require deliberate foolishness where you have opened the non-standard port on your Windows OS and firewalls everywhere).

Here is a blog post on how this feature is used to secure Railo administration pages. This method also works for OpenBD, and Adobe CF10.
The installation for CF10 is not out of the box, if there is interest in this I will provide it in later versions. Also this is not officially supported by Adobe, though given the system instability issues and problems that have occurred with the supplied connector you may want to consider testing anyway.