- Security news feed
-
Here's a great RSS feed to subscribe to if you're into getting interesting securtiy news:
http://www.team-cymru.org/News/
- Mah Bluehat blogz - let me show you them!
-
My somewhat random thoughts on the battle for your PC and how it may play out in the coming year . . . (and by your PC I really mean your Mom's since you're of course running IE7 on Vista with UAC enabled and DEP forced on etc. right?):
http://blogs.technet.com/bluehat/archive/2008/04/28/the-battle-for-the-browser-your-pc.aspx
EDIT: I'd like to give out a shout-out to Skywing who apparently was one of the first to mention that you could make application use ASLR by editing the binary in his blog post here: http://www.nynaeve.net/?p=100
He also mentions that the VS2005 SP1 compiler / linker were the first version to offer up the ability to edit the binary to add ASRL creamy goodness, so kudos to him for that (and my teammate Mark for pointing it out to me. :)
Of course attachment security will continue to be all the rage in certain circles . . . and we may even see the bad guys start to focus less on Office 2003 and older binary file formats and more on other popular document formats *cough* Acrobat *cough* . . .
- Mac vs. PC - can't we all just get along?
-
So I'm on the road with my boss . . . he brought his Mac . . . I brought my Vista x64 Dell. They only offered wired internet so I decided to try out Vista's connection sharing stuff . . . I figured I would plug in the cable and share the connection out over wifi for the Macbook. I plugged in the cable and after some fumbling around found the wizard to do this. I initially tried setting up WPA-2 with a passphrase for my Mac using friend. No dice - he couldn't associate, let alone enter the passphrase. So I dropped back down to WEP with a 13 char password. Same deal - can't associate. So I dropped down to 'open' and he was finally able to associate - but not get an IP address. At first he was blaming Vista . . . but then I had him fire up Wireshark on his end and it was pretty clear he wasn't sending any DHCP packtes. :) So then he tried manually configuring the IP / default gateway / DNS Servers and he could ping me and he could ping the DG - but couldn't surf. :( We were tired - didn't troubleshoot it much further. The next night we decided to see how the Mac experience would be . . . sharing a connection on the Mac is MUCH easier than on Vista. :( So he sets up his wifi AP SSID and enables WEP on it and I find it in Vista and double click on it to connect . . . but then I get an error almost immediately about the SSID not being available or something and I am not prompted to enter the password. I mention this to my boss and he looks over at his Macbook only to find it dumping core and rebooting. :) Vista pwns MacOS yet again. :)
To be fair - after the core dump and the reboot - he switched his SSID to open and I was then able to successfully connect up and surf the Internets via the MacOS connection sharing. Something he wasn't able to do via my Vista connection sharing (although I still blame MacOS for that).
So what have we learned?
- MacOS has better connection sharing UI that is easier to setup and use than the Vista wizard (IMHO).
- The MacOS wifi drivers seem to be crappy . . . (inability to connect to my SSID when I'm using WEP, me bugchecking his box when HE uses WEP etc.).
- Vista was able to surf the Internets through the MacOS connection sharing (which was in bridge mode) and the MacOS wasn't able to even get an IP address from Vista's (for unknown reasons).
We are the same - yet we are divided. Can't we all just get along?
- PayPal throws down . . .
-
This is VERY interesting and I wonder what sort of time frame they plan on doing this in - because right now AFAIK their list of supported browsers would be IE7 and IE8 (based on the EVSSL statements). :)
http://www.eweek.com/index2.php?option=content&task=view&id=47667&pop=1&page=0&hide_js=1
Also found this to be very interesting:
EV Certificates Unproven, but Best Solution Yet
The jury is still out on the value of EV SSL certificates as a meaningful security utility but, in Barrett's mind, the green URL bar offers a visual cue that "makes it much easier for users to determine whether or not they're on the site that they thought they were visiting."
He said PayPal was one of the first companies to adopt EV certificates. "More or less all of the pages on our site are SSL encrypted, and they all use EV certificates. And after nine months of usage, [our] data suggests that there is a statistically significant change in user behavior. For example, we’re seeing noticeably lower abandonment rates on sign-up flows for IE 7 users versus other browsers. We believe that this correlates closely to the user interface changes triggered by our use of EV certificates," Barrett added.
PayPal is also recommending the use of blacklists and anti-fraud warning pages as effective technologies to help protect consumers from identity theft fraud. Microsoft and Mozilla have invested heavily in anti-malware blockers and anti-phishing technology.
- Flash NULL pointer + offset code execution . . .
-
I tend to agree - Mark Dowd is clearly not human: http://www.matasano.com/log/1032/this-new-vulnerability-dowds-inhuman-flash-exploit/
This kind of thing makes me want to like . . . go work on cars or something. :)
So here's what's sort of scary about Mark's paper and mentioned in the Matasano post - but worth reiterating here . . . this paper could usher in a new era of reliable exploitation for Flash based vulnerabilities.
Sort of like what Skylined did for IE exploitation using Javascript based heap spray . . .
Harsh times . . .
- Hyper-V
-
So Brandon Baker is a senior guy on the Hyper-V team. I just came across this blog post of his: http://blogs.msdn.com/rsa2008/archive/2008/04/07/isolation-of-virtual-machines.aspx
If you read my blog - you may have seen my blog from CanSec where Oded did a presentation on VMWare's new VMSafe initiative / APIs and how shocked myself and many other attendees were at what VMWare was proposing. They in fact seem to be heading in the exact opposite direction as us with respect to their hypervisor / VMM. They appear to making their VMM / hypervisor attack surface potentially very large whereas we seem to be striving to keep ours as small as possible. In fact, if you read Brandon's post above - it is very reflective of the mentality that currently exists within product teams today at Microsoft (largely due to the great work of Michael Howard / the SDL / the SWI team and the great work of the feature teams who take the SDL to heart and try to go above and beyond the requirements). Brandon talks about a DFD - or data flow diagram and how it's very important to identify all of the ways data can get into and out of your application. This is huge (and one small part of the SDL process). Once you have identified all of those entry / exit points you can go about validating data / assumptions / fuzzing / building layered defenses etc. Brandon also mentions that our hypervisor will be small - ~600kb . . . this is very much what I would expect. You want small, well examined code if it's super critical - and the hypervisor is all sorts of super-critical. We've taken a tremendous beating in the press for how long our stuff takes to ship these days (but interestingly no one seems to be interested as to *why* stuff takes longer to ship now) . . .
We shipped Server 2008 before hyper-v was done and I firmly believe that was the right call as I would rather have a solid, well tested, insanely secure hypervisor that I can trust vs. one that was rushed to make some arbitrary ship date. :) So who will have the best, most secure hypervisor in the coming years? I'm not a betting man . . . but I believe I know which one I'd vote for. :)
- Espionage using Office documents in the news
-
First a Wired article: http://www.wired.com/politics/security/news/2008/04/chinese_hackers
Next a Businessweek article: http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
We live in 'interesting' times.
- IE8 - DEP enabled by default?
-
W00t!!! So I guess this is public now: http://www.eweek.com/c/a/Security/Microsoft-Details-IE-8-Security-Default-Change/
This is huge . . . DEP is a fairly complex process on Windows today . . . far less trivial than I would like. By default on our client operating systems your program has to somehow opt-in to DEP protection and if it doesn't - even if your CPU supports it - you don't get DEP. IE6 and IE7 don't opt-in to DEP by default - so this means you either have to change your system-wide DEP policy to "opt-out" (not the default) or you have to manually go and figure out how to opt IE6 and IE7 into DEP. I've covered how to do this in this blog and so has MikeHow. It's nice to see that IE8 will opt-in by default. That said - there are also varying degress of 'DEP'. There's DEP and DEP (Permanent) (as labeled by Process Explorer). I'm planning on doing an in-depth write-up in the SWI blog on DEP in the coming weeks . . . in that post I'll briefly describe all the various ways a process can end up having DEP enabled, how the bad guys can try to have the process disable DEP, and what you can do to thwart that. It should be a good post . . . if I can get the time finish up some research. Maybe I should stop blogging and start working on that . . . :)
- "Counting vulnerabilities is a natural way to measure security. If you're a retard."
-
Got your attention didn't I? :) So Mike Howard, one of the founding fathers of the SDL, is an amazing guy. In my group we joke around with him and tease him quite a lot (he is a Kiwi after all) but at the end of the day there are few people in Microsoft that I respect more and to this day I still can't believe I get to work in the same org with him. To say it's an honor and a privilege would be an understatement. I would be hard pressed to name another person in Microsoft who has had more impact on the overall security of our products. When he speaks - I listen. So with that I give you Mike's latest Technet article: http://www.microsoft.com/technet/community/columns/secmgmt/sm0408.mspx
I really liked this article because it was short and sweet and Mike does a really great job of capturing the the cultural shift that occurred and how we use metrics to track our progress and how our competition is still, in the year 2008, largely in denial about their own situation. One of the most frustrating things for me is when ignorant non-believers <G> claim that the SDL is all just marketing hype / spin / FUD etc. (as so eloquently captured at the beginning of his article <G> and as the title of this post). It's insulting to me. To put how I feel about folks who don't believe that the SDL is causing measurable improvements to our product's security in context, consider all of the people who believe that the moon landing never happened and was a big sham put on by our government. Now imagine that you're an engineer who has worked at NASA for decades who was involved in that monumentous achievement. Imagine how that person must feel every time they come across someone at a party or some social setting who simply doesn't believe that we could have achieved such a milestone in the 60's. I believe I know how they must feel . . . bemused . . . offended . . . disgusted even . . . I come across people every day (through my blog, email, web sites) who simply don't believe that the SDL is a real achievement and who think it's all just a sham perpetrated by the world's largest software company to get people to buy more product. By now I've largely given up trying to convince people that the SDL is real and that it really works. In the year 2008 if you don't believe that we've made progress since 2002 and that the SDL and the cultural shift within Microsoft is responsible - then I internally lump you into the same bucket as the folks who to this day don't believe in the moon landing as there is probably no amount of evidence that will ever convince you that it's real.
- I feel dirty . . .
-
So I've been running WS2008 for a while now. I've got a nice beefy machine that I do all my repro work on. It's an Intel quad proc box with 4GB of RAM and an ATI Radeon x1950Pro. I've got some nice LCDs and run multi-mon. And I absolutely hate what we've done to the shell on WS2008 in its default configuration. That said - I also hated the Vista shell (and Aero at first) until it grew on me and now I like it. :) Anyhoo - so I gave the WS2008 stripped down look a go for a long time. I mean - I know why we did it - it's a server SKU . . . adding pizzaz and features also adds attack surface and we want to be secure by default. So I know I *should* be running my *server* SKU without the "Desktop Experience" feature (in WS2008 you get a stripped down OS after install and then you build-it up and customize it post-install by adding 'roles' and 'features'). The 'Desktop Experience' feature gets you things that you find in Vista like Windows Media Player, and the Vista desktop themes, and our photo application . . . and if you happen to have a nice video card that supports Aero, AND if you turn on the 'Themes' service - then you also get the 3D Aero interface which I've come to love.
So there - I said it - not only did I install QuickTime on my wife's PC last week (another blog post for another day, but at least they do ASLR, DEP and /GS now!) but I also officially increased the attack surface of my WS2008 box just for some eye candy (a better looking shell).
I feel dirty.
- Get Kraken!
-
So much ado is being made about Kraken in the press with people speculating this bot is bigger than storm - which was already terribly over-hyped in terms of numbers by the press.
If you're curious - here's our AV team's write-up on it here: http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147369263 and here: http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147368536
Our next Security Intelligence Report summarizing the last half of 2007 comes out real soon . . . I bet it will be a good read. :)
- Apple opting into /GS, DEP and ASLR?
-
Somebody pinch me . . . I must be dreaming: http://www.eweek.com/c/a/Security/Apple-Adds-AntiHacker-Features-to-QuickTime/
- Bitlocker protecting me from myself?
-
So tonight I rebooted my notebook and was prompted by Bitlocker that my boot configuration had changd. I sort of freaked out. I didn't want to insert my USB key with the BDE key on it until I figured out what BDE was trying to tell me. For all I knew someone had messed with my OS while I was at lunch today and bootroot'd me or something.
Unfortunately our UX here really sucks when BDE is trying to tell you something and the user is greeted with an error message that simply says something to the effect of:
The settings for <path to winload.exe> have changed.
The changed setting is: 0x2500000020
Bitlocker can't continue - insert your USB key if you *really* want to boot the system anwyays.
Oh joy! How helpful. Not. So let me get this straight . . . something changed, Vistas knows exactly what it is, but it won't tell ME what it is in English so that I can make an informed decision about what to do (i.e. whether to hand my notebook over to a forensics / incident response person or whether to insert my USB key and try booting the OS to revert whatever setting I may have changed). Brilliant! And this is SP1 mind you.
So fortunately I work here and help is just a distribution list away. I sent email to some Bitlocker folks and got an answer within minutes (which I was very thankful for - the BDE guys do rock and are always very responsive).
That setting that was changed in the boot configuration database is this:
BcdOSLoaderInteger_NxPolicy = 0x25000020,
Doh. I didn't try just searching on the JUST hex goo (I added 'bitlocker' to the search assuming I'd get a bazillion search hits for random things if I didn't).
If you do search on just the number - you get this: http://search.live.com/results.aspx?q=0x25000020&src=IE-SearchBox which leads you to this: http://msdn2.microsoft.com/en-us/library/aa362670(VS.85).aspx which unfortunately is about as good as it gets (for now) when it comes to troubleshooting what Bitlocker is trying to tell you when it says your boot configuraiton has changed and prompts you for a recovery key.
I'm fairly disappointed that a year after Vista has shipped we don't have a good KB article to help folks like me out. It turns out - as soon as I saw that I knew what happened. Today I did in fact change my system wide DEP policy from the value that it was when BDE measured the BCD . . . I set my system back to default values today to do some testing with IE (without DEP) and I forgot to set it back before rebooting. The fix is to simply switch my DEP policy back to 'Opt-out' (from Opt-in which is the default) which is what the value was when Bitlocker 'measured' the boot config database and stored the values in the TPM.
- Yet another product with 360 in the name . . .
-
Ferrari F360 :)
Xbox 360
Anderson Cooper 360
Symantec Norton 360
Nordick Track 360
Fortify 360? http://www.internetnews.com/dev-news/article.php/3737696/Taking+a+Wider+View+of+Code+Security.htm
Seriously . . . when will the 360 product naming madness end!?
- On Vista, OSX and security researchers
-
So I made an interesting observation at Cansec last week. By day 3 I realized that I was the sole presenter running Vista. Hell I may have been the sole *attendee* running Vista. In fact if I had to break out the presenter laptop OS's it would go something like this:
- 50% OSX
- 34% Windows XP
- 15% random Linux distros
- 1% Vista (me)
If you add attendees to the mix the Windows XP numbers go up a bit and the OSX numbers may go down (i.e. it may be 40% OSX / 40% XP).
I find this phenomenon curious given that OSX is never in the news with a positive security story as of late - it's all fail all the time lately with OSX and security. This point was made dramatically clear when OSX fell inside of 2 minutes on day 2 of pwn2own when you were allowed to log in locally and browse to an exploit web site. All you apparently need to pwn the Mac is in-box applications - for Vista - the researcher who owned it needed not only Flash but Java as well (it's unclear as to why Java was needed but the thinking is perhaps it was needed to get some executable pages for the shellcode due to NX / XD / DEP).
So I find it pretty strange that people who worry about security enough to attend and present at security conferences - are predominently running OSs that are less than optimal for the task of keeping them secure. I for example - was running Vista x64 SP1 with Bitlocker in TPM+PIN mode . . . and it's like I was from the future or something - even though this platform has been out for over a year now.
So what are the reasons behind this?
- Security geeks favor pretty hardware / UIs over security? (i.e. "Do as I say - not as I do"?)
- They like the OSX platform because they can run cooler Unix / Linux / open source tools easier?
- They're hoping for a little security through obscurity?
- All of the above?
Don't get me wrong - I've been to lots of security cons over the years and I know that there's always been a lot of OSX and Linux there - but it seems to be trending *up* not down . . . I find that strange. Maybe it's just me.