Tuesday, June 5, 2007

Responsibility is Everyone's Job

The software developers constantly talk about responsible disclosure.

Responsible disclosure is basically defined as informing the software developer of a vulnerability so that the vulnerability can be researched and fixed. This is compared to full disclosure where the vulnerability is announced to everyone without giving the software developer a chance to fix the vulnerability. Contrast this with the economic pressure for a software developer to reveal a vulnerability, which is none.

The spectrum consists of Full Disclosure (tell everyone), Responsible Disclosure (tell the developer), and Non-Disclosure (tell no one). Without going into details suffice it to say the responsible disclosure is currently mainstream.

The question is how the developers handle fixing the vulnerability. The general thought is that a responsible company would put resources into fixing these as soon as possible, but these comercial developers are, for the most part are in business to make a profit. I am not including open source developers in this post.

Now for two examples of how Microsoft has handeled responsible disclosures.

The ANI exploit, which I wrote about in Vista Smista& ANI Exploit. The vulnerability was disclosed in December of 2006 and not fixed until exploits where released in March. An quote from my previous blog is below and more details are in my other post mentioned above:
In short this was disclosed to Microsoft in December of 2006. Apparently the first report of this vulnerability was used as an exploit was March 28th. Due to the wide spread use of the exploit several third parties released interim patches... Microsoft
reacted, as it tends to do when third party patches are released, and the news
media starts to publish... Microsoft released the official patch out-of-cycle on
Tuesday the 3rd of April (instead of today the 10th of April).

Just recently, the end of May 2007, a vulnerability in Microsoft Web Server IIS 5.X where authentication can be bypassed, was announced. However this vulnerability was discovered December 15th 2005 (no this is not a typo) and was subsiquently responsibly disclosed to Microsoft. Apparently Microsoft finally decide to publically disclose the vulnerability, but without a fix. Unless you consider paying for an upgrade to Windows Server 2003 and IIS 6.0 a patch.

Keeping in mind thath these are just two examples where:
  1. Microsoft failed to fix a known vulnerability for several months until an exploit was released.
  2. Kept a vulnerability secret for over a year and then releases the information and requires a paid upgrade to the latest code for a fix.

I think Microsoft should re-evaluate their responsibilities as a good citizen or netizen.

Thursday, May 31, 2007

When Google isn't Google: Google-analytics Compromised

It has been reported the the popular Google Analytics has been compromised. The details are in the ISC Diary Entry titled Google Counter ... isn't.

What this means to the average user is that any web site that uses Google Analytics, and there are more than a few that use this free service, will attempt to infect your computer.

Wat is the average user to do? Disable javascript and break most web sites? Which is almost like putting bars on your windows and refusing to leave the house.

Well it isn't a secret what I do I use Firefox and the noscript extension as my main defense against this. I normally leave anything not required for accessing a site, including Google Analytics, disabled. I was initially surprised by the number of javascripts attempting to run from sites I had not directly connected to. I would describe this as checking who a visitor is bringing with them when they want to visit my house.

sites that where used to See "Drive by What?" for my latest blog entry on the subject, or check here for all my references to noscript.

Wednesday, May 30, 2007

Windows Please Phone Home!

I have talked about patching a few times.

I have also discussed how I have found Microsoft Windows systems that where configured for automatic downloading of security patches, but where not patched in Cup of Hot Cocoa: Patch Warfare II.

Now it appears that Microsoft has taken notice and has released patches to fix the problems with the automatic updates, and manually using Microsoft and Windows Update sites for that matter which is great, but except for an announcement on their blog (Welcome to the Microsoft Security Response Center Blog!) it has received very little fanfare. See Two Advisories on Non-Security Updates for details.

Now the scary part is that it is being distributed be the very mechanism that it is designed to fix. If a PC is not getting updates due to the problems these updates fix, then the system will not get the fix! Now to compound the problem these fixes are distributed separately and each one requires a reboot.

In other words the broken update mechanism must download and install the first update. Can you say if your internet connection is down please visit our web site to report a problem... or how about please cal the phone company if your phone is not working...

Then it has to do the same thing for the second update!

Now if Microsoft wanted to be a good internet citizen they would announce this all over the place and encourage users to visit the update sites to download these manually or if that fails to directly download them per the knowledge base articles: Microsoft Security Advisory (927891) and Microsoft Security Advisory (937696).

Friday, May 25, 2007

Drive by What?

It used to be that that you could avoid certain types of sites and avoid most malware. Add a good antivirus software are you where pretty safe. Not any more just about any site can be used for drive-by-downloads.

Now even major sites can participate in spread infections just by displaying advertising. The dark side submits an ad that downloads malware by just viewing the ad on a site.

This has become so common that Brian Krebs, of Security Fix fame, wrote an article about it called Cyber Crooks Hijack Activities of Large Web-Hosting Firm. Where it discusses a web hosting provider that has literally hundreds of infected host sites, and the site owners don't even know that their sites are infected.

Even Google discusses it in their new security blog with their initial post Introducing Google's online security efforts.

Alas we are not completely helpless. I have mentioned Noscript before and I will continue to recommend it to enhance your control over what runs on your computer.

I will also mention an anti-malware tool from eEye that I recently discovered called Blink that is currently free for personal use in North America.
eEye Digital Security is offering Blink Personal Internet security with Antivirus for free as a 1-year subscription in North America.
If you are outside of North America, as of the time I write this, the price is $24.95 for one computer and $29.95 for three (3) computers. I have found this to be quite effective without causing performance issues.

Sunday, May 20, 2007

Videos

Who knows you better than your peers?

It seems that there was a contest for university students to create videos to increase awareness of computer security among university students.

The contest was conducted by the EDUCAUSE/Internet2 Computer and Network Security Task Force, the National Cyber Security Alliance, and ResearchChannel.

Even though the intended audience is college and university students the videods are entertaining and educational for other audiences. I suggest you check the out the videos here.

Wednesday, May 9, 2007

Enemy of the State RFID Style?

The Plot

Back in November of 1998 the movie Enemy of the State was released starring Will Smith as the harassed citizen that was tracked with every asset the government had including satellites. While I do not claim to have access to any details of what the theses satellites can do I can make a few statements safely.
  1. No one casually moves satellites between orbits. Simply put they have a limited amount of fuel and once it is used there are no satellite fuel stations that you can stop by for a refill.
  2. There would have to be a compelling reason to track on person with satellites. As I understand it they are constantly in use and the scheduled activities are not casually changed especially on a moments notice.
Now to look at current technology and trends could currently deployed and developing technology and how it could be abused. While I want to "set the stage" a little bit I will be directly discussing RFID and its ability to be used/abused.

Video Surveillance

Lets start with the most obvious.The UK with its attempt to monitor everything via camera. While I'm not a UK citizen I have been "watching" this from the sidelines. First as far as I can tell there are no laws covering the who can view/use the videos captured, how long they are retained, or how they are disposed of. While this may not seem to be a big deal with evolving technology, and apparent lack of controls.

Imagine, if you will, someone digitally changes a video to put you, or a now well known political, in compromising situation. With out proper defined controls this could ruin a political career. If I am correct that there are no laws controlling the videos captured this should be addressed.

Tagging History & Evolution

Radio Frequency Identification (RFID) is all the rage. It is being used everywhere and for many purposes. The first "killer application" was for inventory. Simply tag all the inventory and using simple equipment get a fast accurate inventory with minimal costs. Virtually 100% accurate virtually 100% of the time.
Anyone that works with inventory knows that there are always inconsistencies like who forgot to remove the RFID tag from the do nit inventory (DNI) items.

Once this became ubiquitous it was a "no-brainer" to use it for anti theft. Once an item is sold it is marked as "clear to pass" the anti-theft devices at the doors, of that store. then you go into the next store and their anti-theft goes off. The tag wasn't cleared in the next store's system. Apparently unknown tags alert in case items have not been inventoried yet. This creates many false positives, AKA "The Boy that Cried Wolf." In summary a shoplifter could make one "token" purchase at the mall then not worry about any anti-theft devices after that.

Tag You're it

Now if it works so wee for tracking things what about people? The US and UK government think it is great. You can embed encrypted information including a digital picture of the person in the passport and you have decreased the problems with fake passports. At what costs to the average citizen?

The University of Washington demonstrated using the Nike+iPod Sport Kit's RFID can be used to track people and that doesn't have any personal data on it. All RFID tags have unique information and no two match unless they are cloned the is, but more on that later.

If a simple RFID tag can be used to track you how simple would it be to track someone with an RFID passport?

Wait isn't there a limited range to read the ones in a passport?

Yes and no. While the RFID tags have limited power there are two other ways to increase the rang the tag can be read from.
  • Using a bigger antenna
  • Using a directional antenna
What about the encryption?

...but the information is encrypted. Yes and nothing prevents the encrypted data from being cloned. The first documented attempt took the hacker 2 weeks and and it only takes about $200 in equipment.

So what you say. Well if a standard RFID can be used to track you then the cloned RFID information can be used to track you, and know that it is you. Eventually the dark side will learn to break the encryption and be able to create their own fake passports.

RFID and CCTV

Tie RFID tracking in with surveillance cameras and you can be tracked and monitored easily...

Sunday, May 6, 2007

AOL Password Warning: Time to Change Your Password?

I try to avoid posting what everyone else is posting, but this case is special. Due to the number of AOL users I'm going to post this brief message and link to the original post.

Brian Krebs posted AOL's Password Puzzler on his Security Fix Blog yesterday May 5th. In short even though AOL allows passwords up to 16 characters it *only* uses the first 8 characters. I'll be the first to admit that there are other systems that have an 8 character limit, but these are well known and documented. *Not hidden away*!

As Brian points out in his post people have a habit of using their names as their password, but may add some extra characters on the end such as:
  • tomsmith1
  • tomsmith#1
  • tomsmithGr81
Simply typing in tomsmith will work without a complaint.

Even with a more complex password it is considerably less time consuming to break an 8 character password than a 16 character one. As far as I know all, non dictionary, brute force implementations of password crackers sequentially add characters to their attempts. In other words trying to break an password that is 2-16 characters will first try all 2 character combinations then move on to 3 characters...

AOL is a big company and a fix for this will take time. Even if AOL could change it tomorrow how many people would be locked out of their account? Consider anyone with a password longer than 8 characters trying to login would fail since only 8 characters are stored... I suspect the fix will be a new implementation of the password back-end and a new front-end to migrate users to the new infrastructure, but only time will tell.

UPDATE: In case anyone is looking for information on good password generation/selection or password tools I did a couple of previous posts on these: Anatomy of a Password and Password Tools. All of my posts on passwords, including this one. are here.