Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Security sins in computer products

  • Comments 11
  • Likes

So I got a new wireless router for my house today and was absolutely appalled at the way they have treated security in the thing. Now, this is not unique at all. I have tried most of the other common home routers as well, and they all sin in about the same ways. Frankly, I have yet to find a wireless product that does security as well as the venerable Microsoft MN-500 802.11b router. Of course, the MS device only does WEP, which is pretty much equivalent to no security at all these days, but when it came out, that was all there was, and it was on by default, and ordinary mortals could actually set it up. Not so with the recent crop of products. Here are some particularly egregious issues:

  1. This is an excerpt from the manual

Administrator Password
The Router ships with NO password entered. If you wish to add a password for more security, you can set a password here. Keep your password in a safe place, as you will need this password if you need to log into the router in the future. It is also recommended that you set a password if you plan to use the Remote management feature of this Router.

Let me get this straight; if I wish to have security, I may optionally configure it? Why is security optional? What kinds of passwords might this thing support? There is no mention of it in the manual. However, since it is web-based, I presume it can’t have special characters in it since those get to be URL encoded. Oh, and the walkthrough configuration wizard thingie, that ensures you get a wireless network that is shared with every neighbor that can find it (which is a large number with a MIMO router like this one) does not allow you to set a password.

Hmm, even stranger. When I try to set the password and at the same time told it not to use NAT it actually does not take the password. Weird. It restarts the router, but I can still log in with the default blank password.

  1. The wireless network is on by default, with no security, and that handy blank password on the router. 'Nuf said. From what I saw in my testing anyone could connect to it and manage it as long as they were on the internal side of the network, but of course, all that takes is a pringles can and a convenient spot to park within about five miles of the router. I have said many times that one of these days I am just going to turn off my wireless network and use one of my neighbors. On any given day I can see at least 6 of them from my home office. I just think there is a company policy against that sort of thing.
  2. The use terms like “computer hackers use what is known as “pinging” to find potential victims on the Internet.” A hacker is not a criminal! Why is it that we keep using the term "hacker" when we really should be using "attacker" or "criminal"? Hacker is a proud term that was originally used in the computer world to refer to those who really loved computers and everything about them. Then some misguided journalist decided to equate it to criminal and it went downhill from there. Why can't we just refer to them as the criminals they are? If someone goes in and robs a bank branch there would be no question about which labels to put on him, but because the crime involved stealing someone's bank account details and electronically transfer all the money to some place you've never heard of they are somehow different than traditional robbers? I've even seen cases where prosecution was called off for fear of destroying the criminal's "career and chances of getting into the university of his choice." This is just appalling. Maybe if we used more descriptive terms to refer to these people we'd start actually putting them where they belong.
  3. Oh, but the fact that criminals use ping as a way to discover your system is not sufficient reason to block ICMP echo by default. You have to actually turn that blocking on. I wonder if the router blocks portscanning? They use that too. I suppose I need to find out.
  4. “Your Router is equipped with a firewall that will protect your network from a wide array of common hacker attacks including Ping of Death (PoD)”
    Wow!!! It protects me against a really scary sounding attack!!! I guess I don’t need that patch Microsoft issued 8 YEARS AGO to fix that problem. BTW, exactly how many people are still running NT 4.0 on their home wireless network so they would be vulnerable to this? I guess the original release of Windows 95 was vulnerable too, but putting a firewall in front of those is not likely to help much.
  5. IP Address Lease Time: Forever. Yeah, that makes sense, because we will never ever change computers!
  6. The driver for the network cards that go along with the router is not signed. Not to worry, the manual explains it:
    You might see a screen shot similar to this one <screenshot of unsigned driver approval screen here>. This DOES NOT mean there is a problem. Our drivers have been fully tested and are compatible with this operating system.
    Good idea!!! Let’s train people to click “yes I want to install the malicious software” (or the equivalent) in every dialog that pops up and asks them to do so. Why is it so hard to understand that driver signing is about trust in the source of the driver, not about whether it has been tested to work or not. I don't think anyone expects a vendor to release a driver they have tested only insofar as to make sure it compiles.

People complain about Microsoft security, but frankly, the state of security in the rest of the industry scares me sometimes.

Comments
  • Jesper – I couldn’t agree more with your opinions! I too was concerned, and recently blogged about securely setting up home wireless networks.

    But your comment about clicking on “unsigned” drivers illustrated the confusions that consumers face daily – another big “security” confusion are the pop-ups asking users to decide between the “Allow” & “Block” buttons for their Firewall or AntiSpyware programs?

    There’s simply no way for “Mom & Dad” to truly know when its save to “Click!”

  • I've always used NetGear's wireless products and found them to be pretty good, all in all. They ship with a default password set (OK - everyone knows what it is - but at least it's there) and its default firewalls rules are pretty much OK for the majority of home users:
    Everything Out - Allow
    Everything In - Block

    However, the wireless AP is turned on, with the SSID set to something obvious (NETGEAR, I think) and all forms of wireless security disabled. The model I have is actually pretty powerful, function-wise, even supporting VPN termination, Dynamic DNS and various other things.

    But the problem with wireless security, just like most other types of security, is that your average home user does not understand it, care about it or worry about it: just up until the time his machine gets a keylogger installed and his bank balance disappears off to Nigeria. Although the hardware manufacturers could make life easier for the user, their support department would be swamped from day one.

  • I think you are both right. Dan, as you said, there is a support cost associated with providing secure networking, but only if you do it sloppily. The fact is that the wizard could do it all for you. They already have the wizard, even though it does almost nothing useful. Why not make it do something useful?

    Blake, you are spot on about Mom & Dad. This is one of my major beefs. We are asking users to make a security decision, yet we give them no information, no context, no skillset, which will help them do so. We may be asking them whether they want to allow the foo server to connect to the bar service or install the fubar software, but in reality, all the users sees is a dialog that says: "If you want to see the naked dancing pigs you must make this dialog go away. Do you want this dialog to go away." As Steve Riley says, given the choice of security and naked dancing pigs, security doesn't stand a chance. Hardware vendors are only making this worse by making a mockery out of the protections Microsoft put into the OS to explain, albeit poorly, to people that installing a driver from evilCriminalSyndicate.com is probably not a really bright idea!

    Marcus Ranum posted a brilliant piece the other day at http://www.ranum.com/security/computer_security/editorials/dumb/. I tend to agree with just about everything Marcus says, and I do think I have probably said just about all of it in one forum or another over the years (but Marcus was the one who had the bright idea of writing it up first). However, there is one part in there where he basically says that we should give up on teaching users security and stop them from being capable of infecting themselves instead. While I have often advocated the same approach (create a group called "stupid morons", put the whole marketing department and anyone who has double-clicked an e-mail worm in the past in it, and stop them from getting e-mail attachments) the fact is that doing so would probably have a negative impact on business, and would only solve the e-mail problem anyway. The fact remains that the folks we refer to with disdain as users are really pretty sharp people. They have been able to learn how to read, sometimes how to write, how to drive a car (Boston drivers notwithstanding), and how to do a whole lot of other really complicated things. Why is it that when faced with a security decision they all of a sudden revert to being four-year olds that say "I am not at all computer literate." There has to be something they can learn about using computers, and if not, then we probably should take Marcus advice (which I do believe I gave before he did!).

  • Just regarding the whole driver signing issue... is there some sort of exhorbitant cost associated with getting drivers signed? I've always thought that the only plausible reason companies don't get their drivers signed was somehow money related.

    If that is the case, it would probably go a long way towards user education if Microsoft dropped any costs associated with driver signing. Probably shaving 1% the Windows marketing budget would cover it :-D

  • All you need to sign drivers is a code signing cert. Yes, those cost money, but it is $400 (from Verisign, you may get them cheaper elsewhere). More information on the digital signature program is available at http://go.microsoft.com/fwlink/?LinkId=36678.

    You do not need to pay Microsoft any money to code sign. Now if you want logo certification, then there are additional charges. I'm no expert on this, but from https://winqual.microsoft.com/download/WHQLPOLICY.doc it appears it costs $250 per OS for the testing. Full Windows Hardware Quality Labs (WHQL) details are available at http://www.microsoft.com/whdc/winlogo/default.mspx.

    In other words, the cost should not really be prohibitive for any vendor.

  • Lousy security&amp;nbsp;is all around us, and I'm not even thinking about airport security here (which, I...

  • Lousy security&amp;nbsp;is all around us, and I'm not even thinking about airport security here (which, I...

  • PingBack from http://proxy.11a.nu/2005/09/14/device-driver-signing-bypasses/

  • Jeg hilser til klovnen. Jeg liker klovner veldig godt! Jeg har vrt p sirkus og sett klovner.

  • Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit,

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment