- Dan's DNS checker - We need a new ship!
-
Heres' an interesting, somewhat reflective blog from Kaminsky on security researcher drama, and how in an ideal world lots of trusted peers would get to review your vulns and fix plans before the patches ship: http://www.doxpara.com/?p=1164 Sadly - in the real world it doesn't always get to work that way for a lot of interesting reasons but I'm glad everyone worked it out and is happy again.
I also love the DNS checker on the right side of his blog. Dan allowed me to discover that Bellsouth apparently doesn't patch in a timely fashion (and I suspect - AT ALL) . . . not that it matters to me - it's not like DNS is a secure sort of protocol anyways or was ever intended to be one (I mean - just grep through a DNS RFC like this one: http://www.faqs.org/rfcs/rfc1035.html looking for the word 'secure' or 'security') . . . so I don't really trust that even with all of the latest DNS security update creamy goodness applied that there would be no ways for nefarious types to have fun with DNS at my expense . . . so thus while I find Dan's vuln to be pretty cool in a scientific sort of way, at a macroscopic / real world level, with respect to how data travels through the series of interconnecting tubes, it sort of seems to me a bit like the crew of a strafed, torpedoed and badly listing ship which is heading towards an underwater minefield responding to and patching the bullet holes in the hull . . . it may give them something to do and make them feel better temporarily, but at the end of the day it just doesn't matter - that ship is still going down. You needn't worry about plugging those holes as the battle to save the ship has already been lost - clearly what is needed at that point - is a new, more secure ship.
So with that said - I always find it sort of amusing (and sad) at how fundamentally insecure communications on the Internets are to this day (with respect to spoofing, tampering and other S.T.R.I.D.E. type threats) and most of my ire is focused on DNS and lower level protocols which I still can't believe are in use to this day in the year 2008 . . . but DNS is really just one insecure protocol riding on and trusting other insecure protocols so at the end of the day when I wax all philosophical I have to wonder - "does yet another DNS update really matter, when there are so many other problems with the way we convey packets on the Internet today?".
Well of course it matters but I mean think about it . . . let's start at the bottom with the lowest level protocol that I have a beef with: ARP. We still to this day rely on it, errantly and against our better judgement, to begin the process of conveying information from one machine to another, and so to this day it's being exploited for nefariousness: http://blogs.zdnet.com/security/?p=1242. Again - this is happening in the year 2008!
Work your way up the stack - there are many other by design vulnerabilities at each layer that require new more secure versions of the protocols (that likely already exist or have been proposed) to resolve . . . but yet they aren't widely deployed or used on the Internets - so I guess that's why I find it sort of silly to get all worked up about DNS. Yeah it's important - but so are other lots of other minor things like ARP or IP which also seem pretty bad (to me).
Um, captain? Can we like . . . get a new ship pleaze? OKTHXBAI!
(p.s. - Forgive the bad warship analogies - I'm finally getting around to reading Cryptonomicon which is largely centered around fictitious events of WWII so submarines, warships, bullet holes etc. are very much on my mind. . . )
- Chris Rohlf joins Matasano
-
I have mad respect for Matasano and I can't believe a friend of mine now works there!
http://www.matasano.com/log/1088/hello-a-self-introduction-by-chris-rohlf/
Congrats dude!
- Memory dumpers for Windows
-
So I still get IR related questions on occasion . . . one of which being 'what is the best way to dump memory on Windows'. I honestly am hopelessly out of touch - I haven't done IR in many years now - but I came across some intersting tools that seem to have released recently that I thought I'd share for the IR folks:
First up - Suiche - of 'Sandman' fame released a memory dumping tool: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
Next up is the ManTech Memory DD tool: http://www.mantech.com/msma/MDD.asp
- Adobe Acrobat 9 - Creamy Security Goodness (on Vista / WS2008)
-
So I noticed yesterday that Adobe had quietly released Acrobat 9 to the web. I decided to download it and check it out to see if they had finally gotten a copy of memo (it's just that we're putting cover sheets on all of our TPS reports now) and decided to start opting in to some of the exploit prevention technologies we provide on Vista / WS2008 (like Apple has with QuickTime).
Well folks - I am super pleased to report - Adobe has finally gotten serious and released a version of Acrobat that supports not only DEP in permanent mode - but also ASLR! (Now if we could just convince people that Vista isn't all the suck that the media hypes it up to be so that they would install it and get the benefit of ASLR).
So a huge round of applause for Adobe please - even though opting in to these features involves just a couple of additional linker switches - it's certainly not that easy in reality and could have involved switching compilers, performing lots of additional testing, working with 3rd parties to make sure their additions / plug-ins still work or will work, etc. etc.
Anyhoo - here's the gory details from the linker:
C:\Program Files (x86)\Adobe\Reader 9.0\Reader>dumpbin /headers AcroRd32.exe
Microsoft (R) COFF/PE Dumper Version 9.00.21022.08
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file AcroRd32.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
5 number of sections
4850F0A3 time date stamp Thu Jun 12 05:47:15 2008
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
102 characteristics
Executable
32 bit word machine
OPTIONAL HEADER VALUES
10B magic # (PE32)
8.00 linker version
4000 size of code
4F000 size of initialized data
0 size of uninitialized data
4054 entry point (00404054)
1000 base of code
5000 base of data
400000 image base (00400000 to 00453FFF)
1000 section alignment
1000 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
54000 size of image
1000 size of headers
56920 checksum
2 subsystem (Windows GUI)
140 DLL characteristics
Dynamic base // ASLR! W00T!!!
NX compatible // DEP (Permanent) W00T!!!
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
795C [ 8C] RVA [size] of Import Directory
A000 [ 48F54] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
54000 [ 1568] RVA [size] of Certificates Directory
53000 [ 69C] RVA [size] of Base Relocation Directory
5270 [ 1C] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
71E0 [ 40] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
5000 [ 234] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
- Vulnerable Web Browser Study - Full of Fail
-
So came across an interesting report today from various security folks (including Gunter Ollmann from ISS): http://www.techzoom.net/papers/browser_insecurity_iceberg_2008.pdf
I can appreciate what they are trying to do - and I believe they were probably trying to be as un-biased and scientific as they possibly could given the nebulous goal of the study but it was, unfortunately, full of fail (at least with respect to the IE results). What they seem to have done is combed the Google logs looking at the user-agent strings over a 1.5 year period to gather major + minor version information for the browsers they studied. The only problem? IE doesn't send minor version information, so there's no way to determine IE patch levels from the user-agent string. Oops.
So to compensate for that they:
- Threw out all IE 5.x and 6.x major version info for some reason - they say it's because IE7 is the most secure version. While that is true - it is quite possible to be running fully patched IE 5.x or IE 6.x and be just as protected as a user running fully patched IE 7.x. Why? Because we will patch and support IE 5.x for as long as Windows 2000 is supported and IE 6.x for as long as XP is supported. This makes the major version of IE much less interesting than say for Mozilla FireFox which as near as I can tell only supports the previous major version for 'up to 6 months' after the current major version is released. I can imagine if we only supported IE 5.x and IE 6.x for 6 months after IE 7.x was released you'd see a lot more uptake on IE7 than we have - but alas - most businesses won't deploy new major versions unless they *have* to and with IE - they don't *have* to.
- They looked at a *completely different data set* for IE minor version info!!! So for everything but Internet Explorer - they examined the Google logs, but for IE they relied on voluntary installs of the Secunia software inspector thing which is (I believe) a client-side app that will scan your machine and figure out the patch levels for various things and upload the results to Secunia. Secunia claims about half a million installs so it's not insignificant - but it's also not comparable to combing the Google logs either (IMHO - but I'm not a statistician and wouldn't even try to play one on TV) and since it's not even the same set of data - I can't fathom why they felt it was scientifically valid to include along side the other browser results!
For these simple facts - I really don't think it was wise to add IE to the mix . . . they should have (in my opinion) stuck to examining the Google logs - and stuck to examining the user-agent strings for browsers that report minor version information. Apples to Oranges comparisons aren't very good.
EDIT: Meh - someone asked me why IE doesn't have the minor version info in the user-agent string and I had to admit I wasn't sure. Just never really thought about it I guess. And so it's with a bit of embarassment that I have to admit I didn't even think about the information disclosure risk that this would represent and how it could allow attackers to know exactly which exploit to throw at your browser. Dave thought of that though. :) Good job Dave. :) I will admit - the browser and web app sec is not my forte . . . is there an easy way to ID the exact version of the browser purely from Javascript without using an AX? That's left as an exercise to the reader and I don't have time to dig right now. :)
- Dino secretly wants Apple to release 64bit Vista
-
Interesting article from Dino: http://blogs.zdnet.com/security/?p=1325
Vista x64 has like . . . 4.5 out of 5 of things he wants. Love the comment in there about making the heap non-executable. :)
- Today's FOGA goes to Google for (implicitly) admitting they have a problem (via stopbadware.org)
-
Man - not sure why this didn't grab the media's attention until today: http://www.pcworld.com/businesscenter/article/147503/group_says_google_a_top_source_of_badware.html
March was apparently a bad month for the Google properties: http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008 (wasn't this also around the time the bad guys figured out they could XSS various high profile web sites that were accepting tainted search result data from Google without sanitizing it?)
Google's response: http://blogs.stopbadware.org/articles/2008/04/07/commentary-on-top-infection-stats
Also of note is the Badware.org response to Naraine's blog calling Apple to task for distributing potentially un-wanted products with Safari security updates: http://blogs.stopbadware.org/articles/2008/06/24/naraine-apple-software-update-still-badware
- SQL injection is teh suck . . .
-
So do something about it: http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx
We give you 3 different ways to combat SQL injection on our platform above including an update to one of my all time favorite tools - URLScan!
Here's a blog post from a senior IIS dev-dude (Wade Hilmo) on the new URLScan and some of the new features: http://blogs.iis.net/wadeh/archive/2008/06/24/urlscan-v3-0-beta-release.aspx
- Security 'silly season' has officially begun . . .
-
In Formula 1, silly season usually begins near the middle to end of the F1 calendar (although it seems to start earlier each year) as many drivers and teams start the intricate backroom negotiations of who will drive what next season or even sometimes 2 or 3 seasons from now and the mass media try in vain to get the scoop on these highly secretive deals which are sometimes struck between drivers and rival teams without the drivers current team even being aware of the negotiations! It's usually highly entertaining to watch the mass media speculate about who will drive what in the coming year(s) and for what reasons . . . for example this year it is widely rumored that Fernando Alonso (currently driving a Renault) will be driving for Ferrari soon having just driven for McLaren last year (Ferrari's nemsis) even though Ferrari looks to have two champion caliber drivers already. Who will get bumped from Ferrari to make way for Fernando? Where will he go?
With that in mind - I caught this highly sensational article today touting as the headline: "Vista security to be 'obliterated' at Black Hat" and it signified to me that the security silly season leading up to Blackhat has officialy begun: http://www.builderau.com.au/news/soa/Vista-security-to-be-obliterated-at-Black-Hat/0,339028227,339290040,00.htm
Yes that's right folks, Vista's security will be absolutely and unequivocally obliterated! There will be no more Vista security after blackhat - it will quite simply be wiped off the face of the earth! Do not therefore be surprised thy loyal reader if ye have no recollection of Vista security following Blackhat, so thoroughly will it be wiped clean from our collective memories, ney, our very existance by Dowd and Sotirov!
- MMPC team blog / FF 3.0 download record?
-
The Microsoft Malware Protection Center team (i.e. the AV folks) have a new blog URL: http://blogs.technet.com/mmpc/
Hopefully these folks will be blogging more about new and exciting malware like they've done just recently.
This month - they talk about the June MSRT release nuking a variety of online game password stealers hailing from China among other places.
What I found particularly interesting were the statistics and spefically a download statistic they gave - 330MM downloads of the MSRT in the first week of the June release.
So that is an average of 330MM/7 = 47MM downloads a day for the MSRT in June.
That sort of make's Mozilla's attempt to set a world record for the most downloads in a 24 hour period seem . . . rather quaint. :)
http://www.spreadfirefox.com/en-US/worldrecord/
Right now at the time of this writing - it looks like they are sitting at only 17.8MM downloads (this page seems to be displaying total downloads to date - not just whatever was downloaded in the first 24 hours, I say that becuase the counter is still incrementing when I refresh on occasion) - and today is like . . . 6 days after their 3.0 RTW . . . so one could also just compare the 17.8MM downloads after a week for them to the 330MM downloads for us. :)
Hopefully if they do get the world record - we can promptly turn around and smash it in July . . . August . . September . . . etc. :)
EDIT: User friendly proves that great minds think alike: http://ars.userfriendly.org/cartoons/?id=20080623
- Microsoft Blogs and Web Resources about Security
-
This guy has spent an insane amount of time collecting and organizing useful security links . . . but he doesn't just throw them in a blog in random order - he's got a graphical legend and mad organizational skillz.
Although I must question some of his so called 'security expert blogs' . . anyhoo here's the href: http://blogs.technet.com/feliciano_intini/pages/microsoft-blogs-and-web-resources-about-security.aspx
- More FireFox 3.0 entertainment (Fail Open Goat Award)
-
It's nice to see that the security researchers are taking notice of FireFox's increased share of the market and responding appropriately: http://blogs.zdnet.com/security/?p=1288
This is interesting on many levels . . . here we have a free, open source browser and I'm just guessing that this un-named researcher found this vuln ages ago and deliberately held off on releasing it until FF 3.0 went RTW so he/she could test it out against the RTW bits so that he/she could sell it to ZDI and get paid. Sure you COULD find the vulnerability and contribute the fix back to the OSS community for free . . . or you could get paid. Hmmmm . . .
And again - if you're running FireFox 2.x or 3.x on Vista - that seems unwise . . . you'll actually be LESS safe than you would with IE7 on Vista if you have UAC enabled. Think about it . . .
Okay okay - so you still want to use FF 3.0 on Vista - at least force it to use DEP (permanent) via the ExecuteOptions reg value or something . . . sheesh.
I'd give you the .REG script to do it here but don't feel like downloading FF 3.0 at the moment, so forcing FF 3.0 to use DEP (permanent) is left as an exercise to the reader.
EDIT: An astute blog reader willing to install FF 3.0 on Vista pointed out that it seems to have opted-in to DEP all by itself. Hooray Moz! That's good stuff.
Welp the gauntlet has been thrown down . . . with the release of IE 8 possibly only months away . . . will we be able to beat the ~5 hour mark on release day and "follow in Moz's foot steps"? I certainly hope I don't have to FOGA IE8 on release day. That would suck. :)
- USA Today writes an article about FF 3.0 - hilarity ensues . . .
-
http://www.usatoday.com/tech/news/computersecurity/2008-06-17-mozilla-window-snyder_N.htm
Boy why bother with facts when it's so easy to make stuff up and to throw out randomly generated numbers like these:
"Organized cybercrime gangs are more highly focused than ever on taking control of your computer through browser-based hacks. They've already turned some 40% of the world's 800 million Internet-connected PCs into obedient "bots" used to spread spam, harvest your sensitive data and commit fraud."
Emphasis above is mine of course. Yes folks - 320 million PCs are in USA Today's botnet out there on the Internets.
More comedy:
"In setting out to elevate Firefox's basic security, Snyder is also compelling Microsoft and Apple, maker of the Safari browser, to follow her lead — or get out of the way."
Hmm - let's see what sort of lead we should be following by having a look at the 2007 CVE counts for IE7 and FF 2.0 in the National Vulnerability Database shall we?
http://nvd.nist.gov/statistics.cfm
It seems that for 2007:
Hmm . . . so we were already better than FF 2.x last year . . .
Okay so let's see how we're doing so far in 2008:
So we've gone from ~4 CVEs/month on average in 2007 to .5 CVEs/month on average in 2008 a noticeable improvement.
Meanwhile FF 2.x has gone from ~5.6 CVEs/month on average in 2007 down to a mere ~4.3 CVEs/month on average this year . . . not quite as good.
Of course I'm not sure how much faith to put in those numbers as according to our own bulletin count for IE7 on Vista for the last 6 months we've patched 6 CVE's that had "CVE-2008" in the description and 7 CVEs total . . . still - that's way less than FF 2.x has patched this year.
Finally let us not forget that IE7 on Vista runs at LOW integrity preventing write access to the majority of the file system and registry so standard off the shelf exploits written for IE7 that assume the user has write access to various ASEPs will fail to install persistent malicious software on Vista whereas that's not the case with FF 2.x and 3.x which run at Medium IL and therefore have write access to the per-user ASEPs on the system allowing exploits to quite easily backdoor a users profile.
So not only is IE7 less likely to have a security defect than FireFox - it's also a safer browser to run on Vista. IMHO this is probably one of the biggest reasons Vista is so much less likely to have malware on it when compared to even XPSP2.
We'll see how FF 3.x fairs over the next year and whether it's any better than its predecessor . . . I for one will keep using IE7 on Vista - and download IE8 the day it comes out. :)
- Our comically un-creative product naming continues . . .
-
"Windows Embedded NavReady 2009"!?! Really people? I think we totally missed an opportunity to add a few more words to describe this fascinating new OS variant thereby ensuring that it will in no way easily fit on any product stickers and will have to scroll horizontally across the screen in the help->about menu on the actual GPS device. Sheesh.
Here are some missed opportunities (I'm sure the /. crowd will have even better suggestions):
"Windows Embedded NavReady 2009 Ultimate CE 5.1.3 Edition"
"Windows Embedded NavReady 2009 version 12.000.1024.16384 SP0 Ultimate GPS edition"
http://www.pcworld.com/businesscenter/article/147165/microsoft_unveils_first_os_for_portable_navigation_devices.html
I will admit - when the Zune first came out I was not fond of the name (nor Vista for that matter) - but I now realize that they are both short, and sweet and utterly un-Microsoft in the naming conventions and now years later - I get it. They are single words, easy to remember, and have truly become brands unto themselves. In the case of Vista - many of the people I talk to don't even really explicitly associate it with 'Windows' . . . "Windows" refers to "Windows XP" - Vista is . . . well Vista. :)
- Windows SteadyState - Or "How to surf the web without fear using Windows XP"
-
So I was chatting with a Microsoft friend of mine today. He's a Firephox fanboi. He's always trying to convert me. He was talking to me about FF 3.0's pending release and talking about how amazingly fast it is on his XP SP3 rig. So I started admonishing him for running such an archaic OS and he of course shot back that he only runs it on his older hardware that isn't really suitable for Vista. Okay - fair enough . . . but then I mention that I will never run Firefox on Vista because it runs at Medium IL and my IE7 browser runs at Low IL . . . which makes me feel safer since shellcode and malware running at low IL can't really write anywhere interesting to persist a logoff / restart / closing the browser etc.
Anyhoo - during this chat he mentioned that on his XP SP3 machine he uses Windows SteadyState . . . on his 'extra' older / legacy PC he installed this software and surfs the web using Firefox on XP SP3 . . . if he ever questions the security of his system - he just shuts it down and undoes all of the changes and then restarts - sort of like shutting down a virtual machine and discarding all the changes using an undo disk. He mentioned that when guests come over they can use 'that' PC to surf the web and then when they leave he can just undo all the changes.
I have to admit - it's a pretty damned good idea . . . it's a free download, it runs on XP, it runs on Vista and it allows you to roll back any badness . . . it also provides easy ways to patch itself (it can be configured to auto-patch or you can login and do it yourself which seems the better route).
