Sunday, February 25, 2007

Isn't that so cute...

The user's going to pick dancing pigs over security every time.
— Bruce Schneier


This in one sentence summarizes how the bad guys penetrate defenses time after time. how can that cute little game be harmful.

This is also why Vista's UAC giving administrator rights to every setup program that is run.

Friday, February 23, 2007

Ultimate Security

Now this is getting to be truly secure:
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
- Gene Spafford, Ph.D., Purdue CERIAS

I like to expand on this by having the concrete cover computer sealed in a lead box that is dropped off at a random location in the ocean... then of course you have to kill the crew to keep the location secret.

BTW there is no data recovery option with this level of security.

Thursday, February 22, 2007

Liberty Boxes

Everyone runs across quotes in their digital life, and some are worth sharing.
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)

Wednesday, February 21, 2007

The Register on Vista Security

The Register has a good blow-by-blow article on Vista Security (http://www.theregister.co.uk/2007/02/20/vista_security_oversold/). As you would hope for it covers the good, the bad and the ugly. This is true despite an inflammatory remark, especial if taken out of context as it is here:
In a nutshell, Windows is single-handedly responsible for turning the internet into the toxic shithole of malware that it is today.
I explains IE7s sandbox techniques and then shows,what I will term bugs, where it violates the sandboxed environment.

There is of course the touted User Account Control (UAC) which is a good concept... gone bad.

The quote below gives a good description:
And there's the catch: "Windows needs your permission to install this cleverly-disguised Trojan nifty program. Click Yes to get rooted continue."
I have more details in a previous post near the end "The ultimate Vista malware is... Setup.exe" (http://sec-soapbox.blogspot.com/2007/02/6-million-dollar-os-or-new-prey-in-town.html)

Then there is "Data hygiene:"

Finally, it's fixed.
Oh wait; it's not fixed. In fact, things just got a lot worse.
...

The worst part of this is that by offering the option to disable the list of recent files, MS has given users a false sense of privacy and security. The reality is that privacy and data hygiene are even more difficult than before. What a blunder.
The summary of the summary

So, what have we got here... We have got... a slightly more secure version than XP SP2... good features... good ideas... implemented badly.

Tuesday, February 20, 2007

TSA Hacked, Incompetent or Both

The story begins like this:
Has the Transportation Security Administration's website been hacked? All indications are yes, and that a malicious phishing attack has been launched against travelers...
-http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html
Then it gets worse.

Read the article and it this is any indication of the professionalism

be afraid be very afraid

Update 3/8/2007: Congress Reacts

It appears that congress has gotten wind of this inexcusable issue (http://blog.washingtonpost.com/securityfix/2007/02/security_fix_report_on_tsa_sit.html).
Citing reports by Security Fix and Wired, the chairman of the House Committee on Oversight and Government Reform is demanding that the Transportation Security Administration produce a raft of documents to explain why it created a Web site for airline travelers that lacked basic security protections.


How to Find Bad Apps

Every month Windows or Microsoft Update will download patches and fixed to your computer, but what about all the other non-Microsoft software?

To check on upgrades for popular and multimedia software simply use the Secunia Software Inspector(http://secunia.com/software_inspector/).

Wednesday, February 14, 2007

The 6 Million Dollar OS: Or A New Prey in Town

I can just hear it "We can re-build it better, faster, more secure... the 6 million dollar OS"

Is it really better or just a new meal for the predators of the Internet

Microsoft Vista is a rewrite of the desktop version of Microsoft's flagship Windows OS. It is touted as the most secure, stable, advanced OS yet. What is the reality behind the hype?

Anecdotally:
  • No major company is even interested in it
  • XP is a more stable platform for multimedia
  • XP is a more stable platform for First Person Shooter (FPS) games
Factual:

  • Where the rubber hits the road for the Information Superhighway: This is the main interface to the outside world where web pages, e-mail and IM (http://en.wikipedia.org/wiki/Instant_message) flow between computers. As with all of Vista this was re-written from scratch to be more secure, but instead of learning from the past history was repeated. Flaws that had been fixed in XP appeared in the new code which doesn't bode well. In Security the old "tried and true" adage is accurate (nothing is perfect and over time flaws will surface and be, hopefully, fixed). The SecurityNow "Vista's Virgin Stack" podcast(http://grc.com/securitynow.htm) has additional information
  • Microsoft challenges the hackers: Microsoft touted the security of Vista and dared hackers at the last Defcon conference to breach their security. So security researcher Joanna Rutkowska showed a room full of attendies how to install a Vista rootkit (http://www.technewsworld.com/story/52254.html).
  • The ultimate Vista malware is... Setup.exe: Joanna Rutkowsa has found a bigger hole in the User Account Control (UAC) design (http://blogs.zdnet.com/security/?p=29&tag=nl.e589). When a setup program is detected you have two choices give it administrative rights, or don't install it. This is a complete violation of the Principle of least privilege. A game should not have rights to install a rootkit err... I mean a kernel driver. According to Microsoft's Mark Russinovich's blog (http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx) "...potential avenues of attack, regardless of ease or scope, are not security bugs." Excuse me.