Responsibility is Everyone's Job

The software developers constantly talk about responsible disclosure.

Responsible disclosure is basically defined as informing the software developer of a vulnerability so that the vulnerability can be researched and fixed. This is compared to full disclosure where the vulnerability is announced to everyone without giving the software developer a chance to fix the vulnerability. Contrast this with the economic pressure for a software developer to reveal a vulnerability, which is none.

The spectrum consists of Full Disclosure (tell everyone), Responsible Disclosure (tell the developer), and Non-Disclosure (tell no one). Without going into details suffice it to say the responsible disclosure is currently mainstream.

The question is how the developers handle fixing the vulnerability. The general thought is that a responsible company would put resources into fixing these as soon as possible, but these comercial developers are, for the most part are in business to make a profit. I am not including open source developers in this post.

Now for two examples of how Microsoft has handeled responsible disclosures.

The ANI exploit, which I wrote about in Vista Smista& ANI Exploit. The vulnerability was disclosed in December of 2006 and not fixed until exploits where released in March. An quote from my previous blog is below and more details are in my other post mentioned above:

In short this was disclosed to Microsoft in December of 2006. Apparently the first report of this vulnerability was used as an exploit was March 28th. Due to the wide spread use of the exploit several third parties released interim patches... Microsoft
reacted, as it tends to do when third party patches are released, and the news
media starts to publish... Microsoft released the official patch out-of-cycle on
Tuesday the 3rd of April (instead of today the 10th of April).

Just recently, the end of May 2007, a vulnerability in Microsoft Web Server IIS 5.X where authentication can be bypassed, was announced. However this vulnerability was discovered December 15th 2005 (no this is not a typo) and was subsiquently responsibly disclosed to Microsoft. Apparently Microsoft finally decide to publically disclose the vulnerability, but without a fix. Unless you consider paying for an upgrade to Windows Server 2003 and IIS 6.0 a patch.

Keeping in mind thath these are just two examples where:

1. Microsoft failed to fix a known vulnerability for several months until an exploit was released.
2. Kept a vulnerability secret for over a year and then releases the information and requires a paid upgrade to the latest code for a fix.

I think Microsoft should re-evaluate their responsibilities as a good citizen or netizen.

When Google isn't Google: Google-analytics Compromised

It has been reported the the popular Google Analytics has been compromised. The details are in the ISC Diary Entry titled Google Counter ... isn't.

What this means to the average user is that any web site that uses Google Analytics, and there are more than a few that use this free service, will attempt to infect your computer.

Wat is the average user to do? Disable javascript and break most web sites? Which is almost like putting bars on your windows and refusing to leave the house.

Well it isn't a secret what I do I use Firefox and the noscript extension as my main defense against this. I normally leave anything not required for accessing a site, including Google Analytics, disabled. I was initially surprised by the number of javascripts attempting to run from sites I had not directly connected to. I would describe this as checking who a visitor is bringing with them when they want to visit my house.

sites that where used to See "Drive by What?" for my latest blog entry on the subject, or check here for all my references to noscript.

Windows Please Phone Home!

I have talked about patching a few times.

I have also discussed how I have found Microsoft Windows systems that where configured for automatic downloading of security patches, but where not patched in Cup of Hot Cocoa: Patch Warfare II.

Now it appears that Microsoft has taken notice and has released patches to fix the problems with the automatic updates, and manually using Microsoft and Windows Update sites for that matter which is great, but except for an announcement on their blog (Welcome to the Microsoft Security Response Center Blog!) it has received very little fanfare. See Two Advisories on Non-Security Updates for details.

Now the scary part is that it is being distributed be the very mechanism that it is designed to fix. If a PC is not getting updates due to the problems these updates fix, then the system will not get the fix! Now to compound the problem these fixes are distributed separately and each one requires a reboot.

In other words the broken update mechanism must download and install the first update. Can you say if your internet connection is down please visit our web site to report a problem... or how about please cal the phone company if your phone is not working...

Then it has to do the same thing for the second update!

Now if Microsoft wanted to be a good internet citizen they would announce this all over the place and encourage users to visit the update sites to download these manually or if that fails to directly download them per the knowledge base articles: Microsoft Security Advisory (927891) and Microsoft Security Advisory (937696).

Drive by What?

It used to be that that you could avoid certain types of sites and avoid most malware. Add a good antivirus software are you where pretty safe. Not any more just about any site can be used for drive-by-downloads.

Now even major sites can participate in spread infections just by displaying advertising. The dark side submits an ad that downloads malware by just viewing the ad on a site.

This has become so common that Brian Krebs, of Security Fix fame, wrote an article about it called Cyber Crooks Hijack Activities of Large Web-Hosting Firm. Where it discusses a web hosting provider that has literally hundreds of infected host sites, and the site owners don't even know that their sites are infected.

Even Google discusses it in their new security blog with their initial post Introducing Google's online security efforts.

Alas we are not completely helpless. I have mentioned Noscript before and I will continue to recommend it to enhance your control over what runs on your computer.

I will also mention an anti-malware tool from eEye that I recently discovered called Blink that is currently free for personal use in North America.

eEye Digital Security is offering Blink Personal Internet security with Antivirus for free as a 1-year subscription in North America.

If you are outside of North America, as of the time I write this, the price is $24.95 for one computer and $29.95 for three (3) computers. I have found this to be quite effective without causing performance issues.

Videos

Who knows you better than your peers?

It seems that there was a contest for university students to create videos to increase awareness of computer security among university students.

The contest was conducted by the EDUCAUSE/Internet2 Computer and Network Security Task Force, the National Cyber Security Alliance, and ResearchChannel.

Even though the intended audience is college and university students the videods are entertaining and educational for other audiences. I suggest you check the out the videos here.

Enemy of the State RFID Style?

The Plot

Back in November of 1998 the movie Enemy of the State was released starring Will Smith as the harassed citizen that was tracked with every asset the government had including satellites. While I do not claim to have access to any details of what the theses satellites can do I can make a few statements safely.

1. No one casually moves satellites between orbits. Simply put they have a limited amount of fuel and once it is used there are no satellite fuel stations that you can stop by for a refill.
2. There would have to be a compelling reason to track on person with satellites. As I understand it they are constantly in use and the scheduled activities are not casually changed especially on a moments notice.
   

Now to look at current technology and trends could currently deployed and developing technology and how it could be abused. While I want to "set the stage" a little bit I will be directly discussing RFID and its ability to be used/abused.

Video Surveillance

Lets start with the most obvious.The UK with its attempt to monitor everything via camera. While I'm not a UK citizen I have been "watching" this from the sidelines. First as far as I can tell there are no laws covering the who can view/use the videos captured, how long they are retained, or how they are disposed of. While this may not seem to be a big deal with evolving technology, and apparent lack of controls.

Imagine, if you will, someone digitally changes a video to put you, or a now well known political, in compromising situation. With out proper defined controls this could ruin a political career. If I am correct that there are no laws controlling the videos captured this should be addressed.

Tagging History & Evolution

Radio Frequency Identification (RFID) is all the rage. It is being used everywhere and for many purposes. The first "killer application" was for inventory. Simply tag all the inventory and using simple equipment get a fast accurate inventory with minimal costs. Virtually 100% accurate virtually 100% of the time.

Anyone that works with inventory knows that there are always inconsistencies like who forgot to remove the RFID tag from the do nit inventory (DNI) items.

Once this became ubiquitous it was a "no-brainer" to use it for anti theft. Once an item is sold it is marked as "clear to pass" the anti-theft devices at the doors, of that store. then you go into the next store and their anti-theft goes off. The tag wasn't cleared in the next store's system. Apparently unknown tags alert in case items have not been inventoried yet. This creates many false positives, AKA "The Boy that Cried Wolf." In summary a shoplifter could make one "token" purchase at the mall then not worry about any anti-theft devices after that.

Tag You're it

Now if it works so wee for tracking things what about people? The US and UK government think it is great. You can embed encrypted information including a digital picture of the person in the passport and you have decreased the problems with fake passports. At what costs to the average citizen?

The University of Washington demonstrated using the Nike+iPod Sport Kit's RFID can be used to track people and that doesn't have any personal data on it. All RFID tags have unique information and no two match unless they are cloned the is, but more on that later.

If a simple RFID tag can be used to track you how simple would it be to track someone with an RFID passport?

Wait isn't there a limited range to read the ones in a passport?

Yes and no. While the RFID tags have limited power there are two other ways to increase the rang the tag can be read from.

• Using a bigger antenna
  
• Using a directional antenna
  

What about the encryption?

...but the information is encrypted. Yes and nothing prevents the encrypted data from being cloned. The first documented attempt took the hacker 2 weeks and and it only takes about $200 in equipment.

So what you say. Well if a standard RFID can be used to track you then the cloned RFID information can be used to track you, and know that it is you. Eventually the dark side will learn to break the encryption and be able to create their own fake passports.

RFID and CCTV

Tie RFID tracking in with surveillance cameras and you can be tracked and monitored easily...

AOL Password Warning: Time to Change Your Password?

I try to avoid posting what everyone else is posting, but this case is special. Due to the number of AOL users I'm going to post this brief message and link to the original post.

Brian Krebs posted AOL's Password Puzzler on his Security Fix Blog yesterday May 5th. In short even though AOL allows passwords up to 16 characters it *only* uses the first 8 characters. I'll be the first to admit that there are other systems that have an 8 character limit, but these are well known and documented. *Not hidden away*!

As Brian points out in his post people have a habit of using their names as their password, but may add some extra characters on the end such as:

• tomsmith1
• tomsmith#1
• tomsmithGr81

Simply typing in tomsmith will work without a complaint.

Even with a more complex password it is considerably less time consuming to break an 8 character password than a 16 character one. As far as I know all, non dictionary, brute force implementations of password crackers sequentially add characters to their attempts. In other words trying to break an password that is 2-16 characters will first try all 2 character combinations then move on to 3 characters...

AOL is a big company and a fix for this will take time. Even if AOL could change it tomorrow how many people would be locked out of their account? Consider anyone with a password longer than 8 characters trying to login would fail since only 8 characters are stored... I suspect the fix will be a new implementation of the password back-end and a new front-end to migrate users to the new infrastructure, but only time will tell.

UPDATE: In case anyone is looking for information on good password generation/selection or password tools I did a couple of previous posts on these: Anatomy of a Password and Password Tools. All of my posts on passwords, including this one. are here.

Olympic Sized Ego

Picture this:

Security Bozos are happy to welcome you to the 2012 Olympics. Please excuse us while we limit the size of your drinks, run you through bomb detection equipment, search your belongings and in general disrupt your ability t0 enjoy the games. Please note that there will be a number of winners that will receive full body cavity searches.

Or this:

The 2012 Olympics are brought to you by [put major soft drink here] and [put major athletic shoe maker here]. Please remember for faster entry and bypassing the normal security checks pre-order either a case of [put major soft drink here] and [put major athletic shoe maker here] on line for pickup at the Olympics. Please present your receipt to the security guards for expedited entry into the games.

What is all this babble about? It has been decided that Security for the the 2012 Olympics will be provided by a Major sponsor of the 2012 Olympics. The incredible arrogance.

• What real security company would buy their way into the job and provide acceptable security?
• What previous sponsor has any clue on how to provide security for an event of this size?

The Dark Side

Now that I talked about the Internet culture in general in Out of the Mists of Antiquity... I will discuss the inevitable dark side,

In the beginning there trust and sharing, but alas this was not paradise, just another place for humans to interact.

One of the earliest, and well know, examples of the dark side is the flame war. This is the term given when two or more parties disagree on a topic and the "discussion" becomes heated. Per Goodwin's Law a lengthy flame ware will end up with at least one Nazi. A few factors seem to be a major cause of these wars:

1. Anonymity - when no one knows who you really are some people will say things that would not in a face-to-face situation.
2. Lack of body language can cause misunderstandings. Somewhere I read an article on a study that boiled down to about 80% of the time we assume we know the "tone" of written communication, but in reality we are only right about 10% of the time.
3. Until recently with digital recording devices something spoken virtually disappeared once it was spoken, but once something is typed it is, or can be, saved word for word. Hence the old adage of don't e-mail or send a message that you wouldn't want printed in the newspaper.

Now on to what everyone thinks of as the real dark side hackers. In the early days a hacker was someone of great skill and ability a hacker could create a short powerful script or program in a short time and get something useful done with it. One of the most famous, and politically active, of these is Richard M. Stallman. Many would consider him eccentric, but consider his article originally written in 1997 titled The Right to Read where there is no such thing as a library and scholars require government reading grants to be able to afford the fees for research... talk about derailing scientific discovery.

The natural curiosity of these hackers lead to exploring systems they where not granted access to. Thus the cracker was born.

NOTE: To the purest calling a cracker a hacker is like calling a sniper a marksman.

Some of the people breaking into systems began leaving began signs that they had been there by destroying or damaging files and the most visible of these being web site defacement. The hey I'm cool look what I did phase. Web site defacement while still done is not where the dark side is concentrating the motivation has changed from fame to financial gain.

One of the easiest, most entertaining, ways to understand this is through the "Stealing the Network" Series by Syngress. This series contains fictional short stories written by well known security experts that are technically accurate unlike the depictions shown in movies.

Stealing the network: How to Own the Box shows the "cottage industry" stage of the early crimes for profit.

The subsequent titles move in to the more sinister organized crime stage that we are currently experiencing, while still staying technically accurate. The books, in order, are: Stealing the Network: How to Own a Continent, Stealing the Network: How to Own an Identity and Stealing the Network: How to Own a Shadow.

I personally recommend the entire Stealing the Network series.

Out of the Mists of Antiquity...

The only way to really understand something is to go back to the beginning, and the dark side of the Internet is no different. Without light there can be no dark so that is where I'll start.

In the beginning there was ARPANET (Advanced Research Projects Agency Network) which begat the Internet.

First understand that in sharp contrast to the standard mainframe centric standard of the day (1960s) one of the main requirements was that it should be able to sustain 80% failure and the remaining portion or portions had to continue to function. The original project was designed by university students, and in order to document standards, but not offend the professors, the new standards became know as RFCs or Request For Comment.

From these humble origins sprang Richard Stallman, Open Source, VoIP, peer-to-peer (P2P) networks, and the Internet we know and love.

Much of the culture remains a mystery to the majority of the world, even those that participate in it.

There are a few books that help understand the culture.

One of these is The Wisdom of Crowds by James Surowiecki. This book gives evidence that averaging the responses of a group of average people can be more accurate that a single or small group of experts. While this concept is counter intuitive, an least to me it was, Mr Surwiecki provides evidence to back theory.

Another is The Starfish and the Spider: The Unstoppable Power of Leaderless Organizations by Ori Brafman and Rod Beckstrom. Here the authors show how decentralized organizations can overwhelm centralized entities. As an example take Napster and it's descendants...

And this last one may be surprising, but I submit Blink: The Power of Thinking Without Thinking by Malcolm Gladwell as well. Anyone that has ever know something without knowing why has experienced this. I submit with the anonymity of the Internet more people are following their "instincts" with out fear of ridicule.

Next I'll use the light provided here to explore the dark side

Licensed to SPAM by Uncle Sam

Shame on me after complaining about MS and their marketing hype, on the other had you can start sending SPAM to one of the lesser know TLA governmental agencies.

Now getting serious the Securities and Exchange Comission (SEC) wants pump and dump SPAM forwarded to them.

The Internet Storm Center (ISC) has a diary entry here that contains additional information and information about other non-US governmental agencies that are asking for the offending pump-and-dump SPAM be sent to them.

The One, The Only, The Vulnerable Vista

Lets start this out by saying that Vista was designed to be more secure, and it appears to be headed in the right direction there. Just don't get me started on DRM.

Once again Vista, the impenetrable, that is according to the marketing hype has been proven vulnerable. There was the ANI vulnerability that MS rushed a patch out for last week, and now during the regular update there is a second vulnerability designated as critical by MS for Vista.

Once the all the hype is removed it is just another operating system by Microsoft that has it's flaws. Once is has had time to mature I'll consider adding it to one of my systems. For now I'll only "play" with it as a virtual machine.

Vista Smista & ANI Exploit

OK, I've gotten it out of my system. I'm not a fan of Vista I have two main issues in regards to Vista:

1. The fact that Digital Rights Management (DRM) has some control over my system, and can degrade or disable viewing "premium content" when someone else feels that there is a potential for me to steal premium content. I'd call that guilty unless proven innocent.
2. Then there is the marketing, I shouldn't call it scam, hype that Vista in invulnerable.

Issue 1 has been beaten to death by many people including myself.

For issue 2 I'll mention Microsoft Security Advisory (935423). This was commonly referred to as the Microsoft ANI vulnerability, and Vista was one of the version that was vulnerable.

ANI Details

In short this was disclosed to Microsoft in December of 2006. Apparently the first report of this vulnerability was used as an exploit was March 28th. Due to the wide spread use of the exploit several third parties released interim patches, including my favorite Zeroday Emergency Response Team (ZERT). Microsoft reacted, as it tends to do when third party patches are released, and the news media starts to publish... Microsoft released the official patch out-of-cycle on Tuesday the 3rd of April (instead of today the 10th of April)

Malware the New Common Cold

Everyone has had a cold and everyone will continue to get colds. Science, and your doctor, have tried to eradicate the common cold, but to no avail.

Why are we still saddled with the common cold. Lets go to the root cause, which is, excuse me, are viruses, and by viruses I mean uncountable millions. Common cold viruses are so numerous that no one has attempted to even count them, common cold viruses can literally appear and die off or mutate into a different strain without anyone knowing.

In the old days viruses where unique digital organisms that would appear and never change. After a while viruses would "mutate into sever distinct strains, as their original creator or another entity made changes.

Nowadays malware writers cross-pollinate between different malware code attempting to create the uber malware. Then there was the so called storm worm which spread through a barrage or constantly changing e-mails with different intriguing subject lines and different executables.

The bottom line is that malware is here to stay with us for the foreseeable future, and just like real life there are some times where we must take extra care to avoid infections.

Its a Cold Day on the Internet

No this is not an April fools joke.

Once again the dark side has come out with a nasty, and this one is so bad that the Internet Storm Center (ISC) has raised the threat level to Yellow which ISC describes as:

We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.

More information about the various levels are here.

In a nutshell MS has released an advisory 935423 also know as CVE-2007-0038, and before that as CVE-2007-1765. The issue is that animated cursors, yes those cute things, and be used to install malware and compromise your computer. Don't think that just because you don't see a change to your cursor that it has not happened (they can use the same visual effects as standard, and infect your computer).

What I find maddening is that this vulnerability was first reported to MS back in December 20, 2006, MS skipped last months updates and there is no patch from Microsoft yet. I will note that there was no evidence of the vulnerability being exploited until recently, but way to go MS.

Now there is a patch available from Zeroday Emergency Response Team (ZERT) which is detailed here. Personally I'm using it and have used their patches in the past when MS has been slow to get an official fix out for a really nasty, shall I call it a malware epidemic.

ZERT is not know for casually creating unofficial patches, but was formed by a group of well known security experts to provide a quick response for nasty widespread zeroday exploits.

UPDATE: I just ran across the following information posted on April 1st, but it appears to be real. MS is apparently planning on releasing a patch for this a week early on April 3rd announced o their security blog, and on their Microsoft Security Bulletin Advance Notification. This appears to be the truth and not a April Fools joke. I will not that this states planned, and this is not the first time that a third party patch has embarrassed MS into releasing a security patch out-of-cycle.

No this is not an April fools joke.

Another Cup of Cocoa: Responsibility

MySpace, YouTube, Web 2.0 there is so much happening and available out there. It is all exciting and there are so many possibilities opening up.

The freedom of the Internet and web works both ways. The same technology lets you explore web sites on the other side of the world allows anyone in the world to attack your system and steal from you.

In the real world people choose where to go and can avoid areas where the "criminal element" tend to hang out, or if in a less reputable neighborhood one can always be aware of the surroundings. On the Internet it isn't quite as intuitive, but there are steps that should be taken.

First everyone must take responsibility for them selves. Just like when we lock our doors and put safety belts on in the car.

As stated before hardware firewalls, software firewalls, and anti malware software should be installed and kept updated.

Mcafee Site Adviser works on both Internet Explorer and Firefox and can provide a warning when you wander into a "bad" site, and better yet will post warning on Google search listings to warn you prior to an actual visit.

Javascript has contributed greatly to the look and feel of the web today, but while many sites use it on many it is not necessary. Javascript is so powerful that it is used for malicous purposes as well including drive-by-downloading. With Internet explorer script control is an all or nothing option turn it on for a site or turn it off for the site. Firefox with the NoScript add-on allows more granular control and allows controls within the web page.

Stay tuned for the next Cup Of Cocoa post about "sand boxing" to help contain malware. Until next time remember:

In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to.
— Dennis Miller

A Travel Cup of Hot Cocoa: Defense in depth

Everyone likes to keep their hot Cocoa hot. So travel mugs are insulated, and have a lid to help keep it hot. Yes it keeps it in the mug as well, but you can argue that keeping more in the mug helps keep the heat in ;-)

Which brings me to the topic at hand defense-in-depth for the PC.

If it was made by man, it can be hacked and cracked by man.
- Anonymous

Absolutely nothing is foolproof! On the other hand several good defenses layered will slow down or dissuade an attacker.

Hardware Firewall

A hardware firewall configured to only allow outgoing traffic and responses to the outgoing traffic. Fortunately this is the default. Any wireless should be configured for security, which is not the default. You don't want your neighbor unintentionally, or intentionally, causing you harm. Then there are the war drivers looking for free access or anonymity while committing crimes, that point back to you.

Software Firewall

Yes this should be running even if it is not a laptop that travels outside your network. One area of concern with Windows firewalls. For ease of use and compatibility there is much greater trust on the local network that could be used against your machine while you enjoy your Cup of Cocoa at the local WiFi hotspot.

Anti-Malware

Both anti-spyware and anti-virus should be running and kept up to date.

Windows work Both Ways

The average web browser shows off the babels of the internet, but at the same time, by default and for your viewing pleasure, lets remote sites into your computer.

Internet Explorer is infamous for being the weak link used by many exploits. Firefox has a better default security stance, but is not perfect. Firefox also has a quicker response for security fixes.

Mcafee Site Adviser (http://www.siteadvisor.com) will flag sites that can cause grief if visited. It has an icon that shows the current site rating, and access to the details available. Additionally google searches will show the site adviser graphic next to each search result.

There is still has a free version and is available for no cost. There are plug-ins for both IE (http://www.siteadvisor.com/download/ie.html) and Firefox (http://www.siteadvisor.com/download/ff.html)

NoScript (http://noscript.net/) is a Firefox add-on that provide granular control to scripts. IN a nutshell any web page that is visited may pull content, and scripts from other web sites and servers. Without NoScript there are only two options are allow all scripts on the page, or do not allow any scripts. NoScript allows or disallows scripts based on URL. It is quite flexible and even allows temporary rights to run scripts, in addition to white listing and black listing.

NoScript (http://noscript.net/) is highly recommended.

Credit vs. Debit

Is a credit card better than a debit card, or vise-versa.

In the US the credit card wins hands down, by federal law the credit card is responsible for fraudulent charges to your account. No such protection for debit cards exist, even if they are used as a "credit card."

A short, and unfortunately true, story to illustrate the issues with a debit card.

A man goes through a fast-food drive through and pays with his debit card. The cashier hands back his debit card, which is put back into his wallet for safe keeping.

The next day the man receives a call from his bank. His account is over drawn by several hundred dollars. After a brief discussion it becomes apparent that there where multiple purchases made with his debit card after the man nused his card at the fast food drive through window.

The bank explains that the card was stolen, the man disagrees, but finally takes his card out of his wallet. Right bank debit card, but not his name or number. It is a card reported stolen. The cashier at the fast food place switched the cards...

An expensive way to learn that debit cards are not protected by law.

Best Practices:

• Only use your debit card at your banks ATM.
• Use your credit card for purchases.
• Your spouse or significant other should use a credit card with a different account/card number* on it.

* Most banks will issue a different card number for each card issued for an account. This allows tracking who spent what, and replacing one lost or stolen card while still being able to use the other card(s).

The Band-aid Approach

There was a comment posted asking why I was against the approach of shuffling buffers around in my post entitled Exploit Longevity (http://sec-soapbox.blogspot.com/2007/03/exploit-longevity.html).

Before I can answer I need to make sure that we have a common understanding of buffers and buffer overflows.

What is a Buffer?

A buffer is a portion of memory where a program stores information that changes. Every time a web site address is typed into a web browser the address is stored in a buffer.

What is a Buffer Overflow?

Buffers do not have an unlimited size, and that fact can be exploited. By providing too much information to the program and overflowing the buffer. When a buffer is overflowed one of two things happen the program crashes or runs what the perpetrator wants it to.

When the program crashes that is a Denial of Service (DoS) attack.

When the program executes what the attacker intended that is an exploit. For a little more meat, e.g. technical explanation. The attacker will usually uses a series of NoOp* instructions to create a "NoOp slide"before the exploit code. Once the program tries to execute the code that was after the buffer it will "slide down" the NoOps to the exploit.

Is Moving the Buffer a Cure?

Consider finding out that someone with the right tool, a "slim jim," can open your car door and steal the car. The manufacture sends has all the cars modified to move the "weak link" over 5 inches, but not protect it. Since everyone knows the fix it simply takes car thieves a short time to adjust and continue stealing cars.

Of course its different with software patches... Not.

For the exploiter the patch is simply the instruction manual for finding the new location of the buffer.

In essence this type of patch is a band-aid not a cure.

* A single byte machine code that performs no operations. Originally used to remove code from machine code with out having to rewrite major portions of the program.

What is a buffer overflow

What prevents a buffer overflow

Why moving a buffer isn't a fix

With securely written programs buffer overflows can't happen.

Exploit Longevity

Ever notice how some exploits just seem to stay around forever?

There is actually a simple, but in my opinion ugly, explanation for this. As usual an example can be worth a thousand words, and I’m going to use rpc18.c as an example:

//////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 18 Targets
// by pHrail and smurfy + some offsets by teos
//
// Targets:
// 0 Win2k Polish nosp ver 5.00.2195
// 1 Win2k Polish +sp3 ver 5.00.2195
// 2 Win2k Spanish +sp4
// 3 Win2k English nosp 1
// 4 Win2k English nosp 2
// 5 Win2k English +sp1
// 6 Win2k English +sp2 1
// 7 Win2k English +sp2 2
// 8 Win2k English +sp3 1
// 9 Win2k English +sp3 2
// 10 Win2k English +sp4
// 11 Win2k China +sp3
// 12 Win2k China +sp4
// 13 Win2k German +sp3
// 14 Win2k Japanese +sp2
// 15 WinXP English nosp ver 5.1.2600
// 16 WinXP English +sp1 1
// 17 WinXP English +sp1 2
// 18 WinXP English +sp2
//
/////////////////////////////////////////////////////////

Notice targets 3-10 are all English versions of Windows 2000 and 16-18 are all Windows XP. Now each target has a different patch level so it must be exploiting the exact same issue, but wait there is more. The next section below shows the offset where the exploit is located.

The text on each line in quotes is the location where the exploit is located in the program. The troubling issue is that for each patch level the location has changed. In other words instead of fixing the problem with the patch the location of the vulnerability is moved, and obviously, as rpc18.c shows, this is not an effective method.

/* Myam add OFFSETS*/
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */

Cup of Hot Cocoa: Patch Warfare II

What to do?

First

Either update you machines religiously on every Black Tuesday (the second Tuesday of the month when Microsoft releases security patches). I don't trust Microsoft update. I have seen too many machines that have it running and are still unpatched days after new patches are released. I know many of these machines where left running over night to update. So my conclusion is the the Microsoft update services are overwhelmed by the shear numbers to properly serve all the machines clamoring for update.

Third Party Software

Microsoft has no mechanism to update non-Microsoft programs, and who doesn't have those? These must be kept up to date as well. Some offer automatic silent updates, automatic notices of updates or nothing at all. Oh I almost forgot about the automated update notice that is broken... I ran in to this with several versions of Sun Java JRE.

Well there is an option for some of the more popular software out there. Secunia Software's fee online assessment which I wrote about in How to Find Bad Apps (http://sec-soapbox.blogspot.com/2007/02/how-to-find-bad-apps.html) will scan your computer for vulnerable non-Microsoft applications.

Cruft

Not all applications clean up after themselves. Sun Java for one leaves old versions in place, which can be usefule for those few who actually need multiple versions. For the rest of us it leaves security holes on our systems and takes up disk space. I have more details including how to automate the install and de-installation of Sun Java posted here: Do you Java? (http://sec-soapbox.blogspot.com/2007/01/do-you-java.html).

Stay tuned for the next "Cup of Hot Cocoa" episode where I discuss default.

Cup of Hot Cocoa: Patch Warfare

Back in the day...

In the PC world patches where a rare thing. You purchased a program and then when the next version came out you either upgraded or didn't end of story.

As programs became more complex and we actually began to use more of the growing set of features. We found bugs and software companies began to supply patches. If I recall correctly (IIRC) most patches where actually a whole new install that you didn't have to pay for... well maybe a small fee for the media (5 1/4 inch floppies) and shipping.

Most people and companies didn't bother installing patches unless they experienced an error that required the patch to be resolved.

Time and the world moved on and before we knew it people actually started to break into computers. A whole new breed of patches. Security patches.

As the "dark side" evolved their techniques patch management went from an anomaly, to a necessity, to the current arms race.

• Vulnerabilities (http://www.answers.com/main/ntquery?s=vulnerability&gwp=13) are announced.

• Exploits (http://www.answers.com/topic/zero-day-exploit) are found in the wild, or sold on "underground" auctions.

Patch warfare has become a reality. Companies must balance between breaking business applications and vulnerable systems. Leaving systems unpatched is simply not an option anymore Windows Survival Time (http://www.dshield.org/survivaltime.html) tracks the length of time unpatched systems avoid infection by malware, and for Windows the "sweet spot" tends to be 40-60 minutes once connected.

The there is a paper Windows XP: Surviving the First Day (http://www.sans.org/reading_room/whitepapers/windows/1298.php) that has advice on how to patch a new system prior to connecting it to the world, and no it is doubtful the system will survive long enough to finish the windows on-line patch process before it is infected. I personally have had luck with this DIY Service Pack: Installing Windows updates without an internet connection (http://www.heise-security.co.uk/articles/80682/0) for updating new systems and ones that are missing patches.

Why is Windows Insecure?

Consider the following quote for a minute:

Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.
— Gene Spafford (in e-mail to organizers of a workshop on insider misuse)

I' say reactions for this statement cove the whole range. From "Them's fight'in words" to laughter to agreement.

The fact of the matter is that Windows was born at a different time. To a proud papa that wanted the whole world to love his offspring. Windows was taught to be polite and play with others. Even if Windows had to play dumb so that they could understand it.

Now back to reality. Windows was designed to be backwards compatible, who wants to buy something that breaks everything else, and easy to setup and use. Ever break out of the password prompt on a Windows 9X machine and do what ever you want. How about break out of an kill the password protected screen saver on the same machine? Both these where trivial exploits that only required physical access.

Windows Vista is the first attempt to drop the legacy weakness and create a secure operating system from the start Microsoft.

I consider XP Service Pack 2 to be Microsoft's first real attempt to secure any Windows version, and XP is still the most exploited abused operating system know to man.

XP Service Pack 2 was a step in the right direction. The jury is still out on Vista, although it may shape up into a hanging jury. ;-)

A Small Cup of Hot Cocoa

Less is More!

Less running or installed on your computer is more secure. With less running on your computer there are fewer attack vectors (http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci1005812,00.html).

To make sure we are all on the same page consider that everything that us running on a computer is a potential weak point where the system can be compromised. Unnecessary or occasionally used programs should not be set to start when your computer starts or you log into the computer. Sun Java is a good example here Java does not start until it is needed.

Some Things are *Not* Optional

This is not to say that there are some thing s that should be running as they specifically add security. Three that come to mind are personal firewalls, anti-virus and anti-spyware. Honestly the line between the last two has been blurring and we should have "anti-malware." Aside from the fact that there is no marketing value in malware and no one would buy it...

In keeping with the theme that more is less I won't do a deep dive on removing excess programs right now, but will look up some good references and post them in another blog entry.

Stay tuned for the next "Cup of Hot Cocoa" episode where I discuss patch warfare.

Light at the End of the Tunnel?

...or do I hear a train coming?

Microsoft has announced (http://www.microsoft.com/technet/security/bulletin/advance.mspx) that there will be no Black Tuesday (no security patches) this month. Have we finally turned the tide? I think not.

SANS Internet Storm Center keeps a list of knows security vulnerabilities that are not patched "The missing Microsoft patches." (http://isc.sans.org/diary.html?storyid=1940&dshield=5dcab42dbdd98865096b12b60165295c) So if it was a light month why not catch up on unpatched vulnerabilities before another one becomes critical?

In my opinion Microsoft is giving battered IT workers a break due to their Daylight Savings Time (DST) patch requirements. The new US DST starts this weekend (three weeks earlier than previously).

The real problem is the herculean tasks required to up grade all but the latest Microsoft products (Windows XP, 2003 Server and Exchange 2007). As an example Windows 2000 requires manual registry settings, but that is not as bad as Exchange.

For any version prior to Exchange 2007, and how many ran out and updated to that yet? Microsoft supplies utilities that must be run against every Exchange users mailbox. Now these utilities are resource intensive and have been causing total outages on Exchange while running the utility at worst, and apparently intermittent outages on some servers.

While I don't claim to have insider information on all the companies running Exchange what I have seen and heard all point to companies scrambling this week to be prepared for the time change.

You might think shame on the companies for waiting for the last minute, but on the other hand think about:

• Lean and mean IT departments
• Microsoft must be coming out with a less painful method...

Right now I don't know if I condone or condemn Microsoft's actions, But I do think in a perfect world a better course of action would have been to delay Black Tuesday by a week.

Hot Cocoa

Based on my recent blog entry on insecure endpoints "https is all I need, right?" (http://sec-soapbox.blogspot.com/2007/03/https-is-all-i-need-right.html)Joe of 2 Guys Named Joe (http://www.2gnj.com) wants to know how to determine if he is secure and if his information is already out there.

First my warning the Cocoa is very hot be careful that you do not burn your tongue. In other words there is no silver bullet in security. My second warning is that since I have covered some of this previously I will reference any previously written blogs entries rather than reproduce them.

Balancing Act

One of the points to understand is that security is a process not a goal. If it was a goal then when your village/town/city was established the police would show up and secure it. Then the police would leave and there would never be any crime. I don't think anyone would subscribe to that option.

On the other hand we can't have a police officer assigned to every person and building to provide 100% security and protection. But some institutions hire guards to protect valuable assets.

In computer security it is much the same. Too much security prevents people from getting anything done and will cause people to circumvent it (the sticky note on the monitor for the assigned password). There must be a balance between security and ease of use. Additionally there must be a balance between value of an asset and cost to protect the asset.

See Risk Options (http://sec-soapbox.blogspot.com/2007/03/risk-options.html) for additional details.

The Basic Goal

The best you can do is make sure you are not the easiest target. In short unless there is a reason to target you the dark side will tend to go after the "low hanging fruit." If a burglar is walking down the street looking for a house to burglarize they will tend to avoid the ones with a alarm in favor of one that doesn't.

See Predators and their Prey (http://sec-soapbox.blogspot.com/2007/01/predators-and-their-prey.html) for an old security joke and more details.

Passwords

Everyone hates passwords, but at the moment they are the a fact of life. Everyone has to have passwords, and too many people use simple easy to break passwords.

I subscribe to the use a very long complex password to protect your password data base. See Anatomy of a Password (http://sec-soapbox.blogspot.com/2007/01/anatomy-of-password.html) for more information on complex usable passwords.

I personally use Password Safe (http://passwordsafe.sourceforge.net/), but it is not the only option. See Password Tools (http://sec-soapbox.blogspot.com/2007/01/password-tools.html) for more information.

More to come

This is a complex topic and I will flesh it out with additional blog entries.

Black Tuesday, Wednesday, Thursday, etc.

MS Patching

Officially called Patch Tuesday is the second Tuesday of the month, and is the date that Microsoft released their patches for the month.

Many users, and small companies, have set their computer to automatically update. These computers will daily check for updates, and apply them as they are releases. Or not...

It appears that the shear volume of computers attempting to check for updates causes timeouts. Which, again apparently, the computer treats as there are no updates available.

Same Bat Time, Same Bat Place...

MS automated updates all default to the same time, and most people never change the defaults. So each time zone pounds on the MS update servers , basically, in unison.

The Consequences

This is understandable from a programming perspective, but this results in large numbers of computers set for automatic updates vulnerable after Patch Tuesday.

Wherever I find this issue I automatically manually run updates, and I have found this issue 3 and 4 days after Patch Tuesday.

Its the second Wednesday of the month do you know where your computer's patches are...

Risk Options

Old, but still relevant.

Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.
— Niccolo Machiavelli, The Prince

Value vs. Cost

This is still one of the hardest aspects of security today. What are your different assets worth and how much will you spend on protecting them? The difficulty raises when intangible assets are involved. How much is a customer list worth? What about credit card information?

For a corporation a $2,000 laptop is not a major asset, but when customer data resides on the laptop the value of the asset just increased. Now spending $1,000 on the laptop's security (Physical lock down cable, encryption, phone home software, etc.) may be an acceptable cost.

On the other had when is risk transfer the best solution?

Consider the owners of rare gems and artwork. I bet every single one has an insurance policy that covers theft and destruction. While the owner would rather keep the object some or all the financial risk is transfered to the insurance company.

https is all I need, right?

Everyone talks about only sending you information over a secured connection when ordering or sending personal information over the internet, but is that all you should be concerned about?

Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.
— Gene Spaffor

In other words both ends of the communication must be secure. With phishing, pharming, malware (including rootkits), drive-by-downloading, computers without passwords, etc. Your home computer is at risk. What are you doing to protect your computer?

Then there are all the security breaches and lost computers, tapes, etc at the web sites/stores you shop at. look at TJX the company behind JMaxx, Marshalls, Winners, HomeGoods, TKMaxx, AJWright, and HomeSensse. TJX experienced, and tried to cover-up, one of the most extensive long term security breaches in history. Additionally it has been the one that has had the most fraudulent charges directly linked to the break-in.

Don't let a secure connection lull you into a false sense of security. Your personal information my already be out there.

Evolution: Fun, Bragging Rights and Profit

In the Beginning

Back in the old days it was the curious looking to expand their understanding of systems. They could hack together a program in fact the best hack was the most concise and elegant code.

Organic Evolution

Some of these hackers turned their focus deep into the bowels or the computers and their operating systems. Of course this required a higher privilege level so cracking into accounts with greater privileges, usually called root on unix systems, and thus began the evolution of the modern day hacker.

Sidenote: Crackers are hackers that use their skills for breaking into systems, in much the same way as an assassin uses their abilities as a marksman to kill. Alas the public has picked up the term hacker so life goes on.

Pressure to be the best

As time passed pride demanded that these hackers proclaim their victories to the world. hackers would post their conquests on underground communication channels and then started proclaiming them to the world in the form of defaced web pages.

As time passed and tools automated finding and breaking into systems. At first these where transfered "underground," but many migrated to the mainstream. Additionally security researchers and administrators began to write their own tools to find and patch the holes before the hackers did.

Scavengers Appear

These tools gave rise to the script kiddies. People that learned how to run the tools, but did not know how to use them. These are the people that scan large blocks of the internet looking for something to attack. They tend to attack based on port not application. in other words these are the ones that launch Microsoft IIS attacks on Apache Web Servers.

The hard core criminal element eventually caught wind of this new avenue for illegal profits. This has given rise to two basic criminal categories the botnet herders and the professional crackers.

Botnet herders initial growth and expansion is very similar to script kiddies. In their recruitment phase spam, drive-by-downloads and scans are used to recruit new bots, or zombies, into the herd. These botnets can then be used doe DDoS attacks, SPAM prorogation, and other nefarious for profit motives.

The professional cracker will case their target and look for vulnerabilities and unprotected avenues to launch their attack. The professionals will learn their prey including partners, remote workers, IP addresses, key employees, environment.

Amateurs hack systems, professionals hack people.
— Bruce Schneier

Update: The professional hackers tend to be freelancers or directly controlled by organized crime.

One

One simply one. One crack one unguarded entry point of entry or one moment of opportunity. So true, and so deadly at the same time:

We only need to be lucky once. You need to be lucky every time.
— The IRA to Margaret Thatcher, after a failed assassination attempt.

Probably the most famous example of one point of weakness is Achilles heel (http://en.wikipedia.org/wiki/Achilles%27_heel). In short Achilles' mother dipped him in the river Styx, and the water from the River made him invulnerable. Except for where the mother held him with her finger and thumb on his heel. Thus he was invulnerable except one spot, his heel, which lead to his downfall.

Why is Defense so Hard?

The basic premises is that you defend every attack vector. While the attacker probes for the one weak point where your defenses can be bypassed or breached.

Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them.
— M. Gosser

When possible in the physical world fortifications are used to limit the attack vectors and defense in depth is obtained by layering using obstacles such as walls, cliffs, moats, and rivers.

A more modern description could be a football game The goal, pun intended, is to breach the other teams defense and score.

No one gets points added to their score for the number of plays that are successfully defended against.

This isn't Your Fathers Phone

As I mentioned previously I started blogging after being a guest on the "2 Guys Named Joe" podcast (http://twoguysnamedjoe.libsyn.com/).

Recently I was invited back to discuss VoIP AKA Voice over IP (http://www.answers.com/main/ntquery?s=voip&gwp=13) for their current podcast 2gnj Episode 30: Ed Wants VOIP (http://twoguysnamedjoe.libsyn.com/index.php?post_id=185540).

I really enjoy doing the podcasts and decided I'd do a follow-up blog entry on VoIP security.

The Basics:

First one basic non-security fact VoIP requires broadband (http://www.answers.com/main/ntquery?s=broadband&ff=1) which roughly translates into DSL, Cable or FiOS (http://www.answers.com/main/ntquery?s=fios&gwp=13).

Second anyone who is using a broadband connection should be running a hardware router/firewall. These devices are under $100 and considering the cost of broadband at $30-$50 a month they are well worth it.

Location, location, location:

Just like in real estate location matters. For security reasons you should place the phone adapter behind your firewall.

I have seen many recommendations and diagrams for placing it in front of the firewall. This has only one goal which is to prevent calls to the helpdesk. This is good for your VoIP provider, but not for you.

The best thing for the VopIP customer is to give the phone adapter a static IP address, or use the MAC address (http://www.answers.com/main/ntquery?s=mac+address&gwp=13) to have your router always provide the same IP address to your phone adapter. Then have your router UDP port 5060-5061 to your phone adapter's IP address.

In The Clear

Everything you say can be heard by anyone...

Just like a regular phone everything you say is transmitted in the clear, or understandable to anyone with the right tools. When it comes to old fashioned phones there are wiretaps and good old standard thunderbirds (these are used for troubleshooting and allow the user to listen in on a phone call). To be able to protect your conversation you would need to purchase a special phone and the person you call would need one as well.

With VoIP there seems to be a viable inexpensive option Zfone (http://zfoneproject.com/getstarted.html).

Zfone was created by the same man that created PGP Phil Zimmerman (http://zfoneproject.com/aboutphil.html) . As is to be expected both users have to use Zfone for it to work. Presently it only works with "soft phones," such as x-lite (http://www.xten.com/index.php?menu=X-Series), due to the fact that the currently available implementations run the same computer. Additionally there is a Software Development Kit (SDK) available on the site.


Zfone utilizes ZRTP and has been submitted for acceptance as a standard (http://zfoneproject.com/zrtp_ietf.html) which will allow it's inclusion in any VoIP product.

ZRTP is an extension to Real-time Transport Protocol (RTP) which describes a method of Diffie-Hellman key agreement for Secure Real-time Transport Protocol (SRTP). It was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on 5 March 2006.
- http://en.wikipedia.org/wiki/ZRTP

Isn't that so cute...

The user's going to pick dancing pigs over security every time.
— Bruce Schneier

This in one sentence summarizes how the bad guys penetrate defenses time after time. how can that cute little game be harmful.

This is also why Vista's UAC giving administrator rights to every setup program that is run.

Ultimate Security

Now this is getting to be truly secure:

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
- Gene Spafford, Ph.D., Purdue CERIAS

I like to expand on this by having the concrete cover computer sealed in a lead box that is dropped off at a random location in the ocean... then of course you have to kill the crew to keep the location secret.

BTW there is no data recovery option with this level of security.

Liberty Boxes

Everyone runs across quotes in their digital life, and some are worth sharing.

"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)

The Register on Vista Security

The Register has a good blow-by-blow article on Vista Security (http://www.theregister.co.uk/2007/02/20/vista_security_oversold/). As you would hope for it covers the good, the bad and the ugly. This is true despite an inflammatory remark, especial if taken out of context as it is here:

In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.

I explains IE7s sandbox techniques and then shows,what I will term bugs, where it violates the sandboxed environment.

There is of course the touted User Account Control (UAC) which is a good concept... gone bad.

The quote below gives a good description:

And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."

I have more details in a previous post near the end "The ultimate Vista malware is... Setup.exe" (http://sec-soapbox.blogspot.com/2007/02/6-million-dollar-os-or-new-prey-in-town.html)

Then there is "Data hygiene:"

Finally, it's fixed.

Oh wait; it's not fixed. In fact, things just got a lot worse.

...

The worst part of this is that by offering the option to disable the list of recent files, MS has given users a false sense of privacy and security. The reality is that privacy and data hygiene are even more difficult than before. What a blunder.

The summary of the summary

So, what have we got here... We have got... a slightly more secure version than XP SP2... good features... good ideas... implemented badly.

TSA Hacked, Incompetent or Both

The story begins like this:

Has the Transportation Security Administration's website been hacked? All indications are yes, and that a malicious phishing attack has been launched against travelers...
-http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html

Then it gets worse.

Read the article and it this is any indication of the professionalism

be afraid be very afraid

Update 3/8/2007: Congress Reacts

It appears that congress has gotten wind of this inexcusable issue (http://blog.washingtonpost.com/securityfix/2007/02/security_fix_report_on_tsa_sit.html).

Citing reports by Security Fix and Wired, the chairman of the House Committee on Oversight and Government Reform is demanding that the Transportation Security Administration produce a raft of documents to explain why it created a Web site for airline travelers that lacked basic security protections.

How to Find Bad Apps

Every month Windows or Microsoft Update will download patches and fixed to your computer, but what about all the other non-Microsoft software?

To check on upgrades for popular and multimedia software simply use the Secunia Software Inspector(http://secunia.com/software_inspector/).

The 6 Million Dollar OS: Or A New Prey in Town

I can just hear it "We can re-build it better, faster, more secure... the 6 million dollar OS"

Is it really better or just a new meal for the predators of the Internet

Microsoft Vista is a rewrite of the desktop version of Microsoft's flagship Windows OS. It is touted as the most secure, stable, advanced OS yet. What is the reality behind the hype?

Anecdotally:

• No major company is even interested in it
• XP is a more stable platform for multimedia
• XP is a more stable platform for First Person Shooter (FPS) games

Factual:

• Where the rubber hits the road for the Information Superhighway: This is the main interface to the outside world where web pages, e-mail and IM (http://en.wikipedia.org/wiki/Instant_message) flow between computers. As with all of Vista this was re-written from scratch to be more secure, but instead of learning from the past history was repeated. Flaws that had been fixed in XP appeared in the new code which doesn't bode well. In Security the old "tried and true" adage is accurate (nothing is perfect and over time flaws will surface and be, hopefully, fixed). The SecurityNow "Vista's Virgin Stack" podcast(http://grc.com/securitynow.htm) has additional information

• Microsoft challenges the hackers: Microsoft touted the security of Vista and dared hackers at the last Defcon conference to breach their security. So security researcher Joanna Rutkowska showed a room full of attendies how to install a Vista rootkit (http://www.technewsworld.com/story/52254.html).

• The ultimate Vista malware is... Setup.exe: Joanna Rutkowsa has found a bigger hole in the User Account Control (UAC) design (http://blogs.zdnet.com/security/?p=29&tag=nl.e589). When a setup program is detected you have two choices give it administrative rights, or don't install it. This is a complete violation of the Principle of least privilege. A game should not have rights to install a rootkit err... I mean a kernel driver. According to Microsoft's Mark Russinovich's blog (http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx) "...potential avenues of attack, regardless of ease or scope, are not security bugs." Excuse me.

Predators and their Prey

An old joke in the security community is:

• Two people are walking on the Serengeti and they notice a lion is stalking them.
• The first person stops , pulls out running shoes and puts them on.
  
• The second person states "You can't out run a lion."
  
• The first person states "I don't I have to out run the lion. I have to out run you."

The moral is that the easiest "kill" is the one most often taken by the predators.

The corollary is that the predators would rather hunt large herds where the shear number almost guarantees a kill.

The corollary's moral is that since Windows is the biggest herd on the internet so make sure you'r not one of the slowest and weakest in the herd.

Personally my running gear consists of a hardware firewall, personal firewall, anti-virus and anti-spam. In addition to that I use Firefox with the noscript and Siteadvisor extensions.

acroBat out of 'ell

I now know why Acrobat 7 doesn't have Acrobat 8 as an upgrade. So far it seems to be a downgrade in ease of use and quite slow.

Now I upgraded because lately there have been several issues with Acrobat 7 that were not
present in Acrobat 8. Additional details on the vulnerabilities at the end for those that wish more information.

Anyway I decided to update to Acrobat 8 only to losefunctionality and speed.

Its interface has changed and not for the better. When displaying documents in MS IE you are choices are limited to the Icons at the top and options available when you right click on the document. it doesn't have the convenient e-mail this file icon you have to save the document and e-mail it outside of the window. I do receive documents generated on the web that I do have to e-mail. When a document is displayed with the wrong orientation your only choice is to right click "rotate clockwise" which works but may need 3 rotations opposed to one rotation counterclockwise.

Bottom line is that I'm going to try Foxit Software's PDF Reader (www.foxitsoftware.com/pdf/rd_intro.php) which is free and much smaller( the install program is about 1.5M compared to Adobe at about 20M.

Update 2-21-2007:

I find that Foxit works for over 99% of the time. the exception is when a site is specifically written to utilize Acrobat Reader

Vulnerability Details

The first was announced December 5th 2006 (http://www.adobe.com/support/security/bulletins/apsb06-20.html) by Adobe, and either required a dll replacement or an upgrade to Acrobat 8.

The second was a cross site scripting vulnerability announced at the 23rd CCC in December 2006 (http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html), and was not fixed by Adobe until about January 10th.

Anatomy of a Password

With my recent post concerning password tools it seemed like a good idea to discuss passwords and what makes a reasonable password. I wont get overly technical or as in depth as Perfect Passwords (http://www.syngress.com/catalog/?pid=3420) which is full of good advice for the average user and administrator.

The Good, Bad and Ugly

Good: Secure passwords are long and complex making it difficult anyone else to use your ID and password.

Bad: The hardest to type and remember are the long and complex passwords.

Ugly: Always forgetting those good passwords, using a sticky note to post the passwords on your monitor, using simple insecure passwords, etc.


The Balancing Act

Personally I use Password Safe (http://passwordsafe.sourceforge.net) which I blogged about here. Even then a good password should be used to protect all your stored passwords. as an example password and abc123 are not good passwords.

The best passwords are long easily remembered and use upper and lower case letters, numbers and symbols (including spaces). I usually take a phrase, misspell some of the words, use capital letters in odd places and add unusual punctuation. As an example (and don't use this):

DoC+doktor w3re gona kr4sh#

Butchered from the following phrase:

doctor doctor we are going to crash

Not so Quick Quicktime Fix

Apple has released a fix (http://docs.info.apple.com/article.html?artnum=304989) for the Quicktime vulnerability first announced July 2nd, 2007 (http://www.kb.cert.org/vuls/id/442497).

Per the Apple site, URL above:

"Impact: Visiting malicious websites may lead to arbitrary code execution"

Password Tools

Passwords are the bane of security. Users hate them. Technical support spends too much time with password problems. Other options cost too much up front imagine spending thousands of dollars to setup a solution that costs an additional $100 or more for each user.

Different systems have different requirements for user IDs and passwords. Password expire at different times.

Some site use pre-defined questions and answers for password "recovery." Others require you to use your e-mail address to verify your identity.

Many people use a standard ID and password for multiple sites. Then there are those sites that won't work with the "standard." So a variant is used, but how many variants can be remembered?

What to do... write down IDs and passwords? Then you have to remember to change your paperwork when the password changes.... and how well does that work for most people.? Then there is the lost paper syndrome. There is no know recovery method for a lost password list.

Now let's look at standard IDs and passwords. With all the site hacked and compromised. It only takes one site to that is compromised to give the "keys to your kingdom" away. Imagine some minor site gets hacked and now your keys (standard ID, password, and e-mail address) are now public domain. It is a small step to access your e-mail. Monitoring e-mail reveals things like your bank...

What most people need is a secure password repository. A password repository needs to have a long complex master password. The master password is used to unencrypt the stored passwords and IDs. The repository should generate random passwords for use on sites. The repository has to allow automated use of the ID and password (it should not force a user to read and retype the password).

Password Safe

One option is Password Safe (http://passwordsafe.sourceforge.net). Password Safe is an open source windows application originally developed by Bruce Schneier's Counterpane Labs (http://www.counterpane.com/).

On the technical side Password Safe uses Twofish and SHA-256 for encryption since version 2.0. The original database used Blowfish and SHA-1. Since it is open source there are versions for other operating systems, but be careful about the data base encryption for compatablilty. Password Gorilla (http://www.fpx.de/fp/Software/Gorilla/) is a Tcl/TK version that will work with Windows, Mac and Linux, and uses the newer encryption (twofish and SHA-256).

On the usability side installation can install it on a thumb drive saving the settings to an ini file or on a hard drive using the registry. Password Safe can run on login. Either prompting for the master password or minimizing as a icon on the taskbar. A tree structure can be used for organization. Right clicking on an item provides several options including:

• Open the website


• Autotype the ID and password


• Edit the entry


• And more...

When editing an entry there are a number of options including generat a password. Options for this include the number of characters ans the character sets. ( a-z, A-Z, 0-9, punctuation symbols, etc.)

UPDATE 3/8/2007: U3

There is now a U3 version of Password Safe available.

RoboForm

RoboForm(http://www.roboform.com/) is a commercial password repository product. It includes a toolbar for your browser that simplifies its use. It will monitor your browser and save IDs and passwords with the "autosave" feature. With AES encryption the length of you password determines the strength of the algorithm.

AES key length depends on Master Password (MP) key length*:

• 128 bit for MP less than 32 chars,
• 192 bit for MP from 32 to 47 chars,
• 256 bit for MP 48 chars or longer.

RoboForm has two variants designed for use with USB drives RoboGorm2Go (http://www.roboform.com/pass2go.html) for standard USB drives and RoboGorm2Go for U3 (http://www.roboform.com/pass2go-u3.html) that is designed for U3 (http://www.u3.com/) thumb drives. [Note:] U3 is designed to make U3 versions of programs portable storing registry information on the U3 USB drive. I have one and have mixed feelings about the technology.

Feature list*:

• AutoSave passwords in browser.
• AutoFill passwords to login form.
• Click Login button for you.
• Fill personal info into online forms.
• Save offline passwords & notes.
• Generate Secure Random Passwords.
• Encrypt passwords and personal data using AES, Blowfish, RC6, 3-DES or 1-DES algorithms.
• All personal info is stored on your computer only.
• Take RoboForm with you on USB disk for ultimate portability.
• Sync your passwords and notes to Palm or Pocket PC.
• Backup & Restore, Print your passwords.
• More features: drill down for more.
• It is well-behaved: NO ADWARE, NO SPYWARE.
• Works under Windows as an add-on to IE-based browsers.
• Works with Netscape, Mozilla, Firefox under Windows.

* Taken from http://www.roboform.com/features.htm

Do you Java?

Sun Java has this nice "feature." Every time you update it the old version is left behind.

Which is great if you have some Java program that needs that version. For the rest of us it leave old, hopefully unused, vulnerable code laying around.

oh by the way it's not just a few megabytes. Per the MS "Add/Remove Programs" each version takes up between 60+ MB to over 100MB. Not that I've verified that I was more interested in removing the vulnerable code.

I have not found a better method than to sit there and remove them one by one hoping that it doesn't require a reboot... I know there are arguments for and against letting it reboot, but I want it off my system so I'll do as it requests to be on the save side.

UPDATE 1/23/07: The Internet Storm Center (http://isc.sans.org) has an article on the subiect (http://isc.sans.org/diary.html?storyid=2088) including a link on command line silent installs/uninstalls (http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/silent.html). The uninstall requires the proper executable that was used for the installation

Update 2/21/07: Test Results

The good installation is a snap and using PSEXEC allows remote installations without a hitch Return codes I found are 0 installed and 1603 already installed. One caveat if you use "\\*" as your target it will install on everything in the domain including servers.

Uninstalling fails and throws a window explaining the options for Windows Installer switches. I don't know if I missed anything, but after a half dozen tests I decided move on for now.

Update 2/22/07: Silent Uninstall Resolved:

The link above was for older versions of Java I found the newer documentation online and basically here is how to uninstall silently.

1.5.0 Update 10 AKA 5.0 Update 10
msiexec.exe /qn /x {3248F0A8-6813-11D6-A77B-00B0D0150100}

1.5.0 Update 11 AKA 5.0 Update 11
msiexec.exe /qn /x {3248F0A8-6813-11D6-A77B-00B0D0150110}

Where 1.5.0u10=0150100
and 1.5.0u11=0150110

Additional details here: (http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/silent.html#uninstalling)

Hello World

Every, or nearly every, programming course/tutorial starts with a "hello world" program. so in my initial post I pay my respects to this tradition.

I have been in the IT field for over 20 years and have worked, contracted and consulted to and for many companies in many capacities. Currently as I have my CISSP I am concentrating on security.

I plan using this blog to discuss security related topics, but reserve the right to wander off topic and follow tangents from time to time.

I have to thank Two Guys Named Joe: A technology podcast for the average Joe (http://www.2gnj.com) for getting me thinking about this. They invited me to be a guest on one of their podcasts (2gnj Episode 20: Security is everyone's concern), and found that I liked it.

I did decide that blogging would be a quicker, easier method. So here I am world.