Every once in a while I am left scratching my head. Over the last few days a few blog postings have popped up on a subject and I am at a loss to understand why. I’m not the only one – several security industry colleagues have been in touch and have said they are just as puzzled.

The subject in question is that the Windows Vista installation medium and especially the Recovery Console of it is the biggest vulnerability of Vista. Why? Well because the Recovery Console on the installation medium does not require a password anymore and makes the whole disk accessible.

So I wanted to give my perspective, and that of a number of security industry colleagues both inside and outside of Microsoft:

1. There are the 10 Immutable Laws of Security. Law #3 says: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. This is well known by everybody having just the slightest security knowledge. There are a lot of tools on the web, where you can boot from and access a disk. Being it Linux distributions, Windows PE, or any other OS that can mount an NTFS partition.
2. If you have physical access to a disk you can attach it to any computer and mount the disk from there to access the data.
3. We have a process called "Security Development Lyfecycle" where all the decisions which concern security have to be approved by the Secure Windows Initiative Team. The decision to remove the password was taken in this process and approved there. The reason is an obvious one: This password does not add any security - not a tiny little bit. But it added a lot of hassle: A lot of times, where you would need the Recovery Console, the disk is corrupt in one way or an other. This might lead to the point, where the Recovery Console does not find the Windows installation any more and therefore not Registry and therefore no password and therefore no Recovery Console. As this adds no security but a lot of problems we removed it. This was a conscious decision.
4. Finally, if you want to protect your computer, do what we said since a long time: Use a BIOS password, use disk encryption (like Bitlocker) and/or EFS. I am using these technologies and am not afraid at all by the whole discussion.

So, I understand that this is scary for people not being too deep in security but as I said: I was pretty surprises that it was even taken up by security sites.

Any comments?

Roger

Last week the first Digital Phishnet Conference in Europe took place in Berlin. Basically Digital Phishnet is an initiative to help to exchange information about Phishing-Sites in order to help enforcement. This is the core mission: Supporting Law Enforcement with information. So the participants are basically able to enter URLs where they are phished on and the system them collects additional information about it and makes it ready for Law Enforcement, where all the participants can add additional information where applicable.

To me the conference showed different things:

• Phishing attacks are getting more and more sophisticated: Malware is involved into almost every attack; we see attacks where the site is downloaded locally, unpacked and displayed locally – thus circumventing most of the countermeasures against Phishing (especially site-takedowns). We just rarely see the classical phishing attack anymore in Europe.
• The most pressing thing to make all the players collaborate. This is easier said as done as groups that historically are not too good in collaborating would have to: Law Enforcement, Banks, Vendors, ISPs, … Even worse: It means sharing of information and trusting each other.
• This directly leads to networks: It is of outmost importance that we immediately start to build international networks. Key players have to know each other and have to want to collaborate.
• There are technical means that are important: Things like Anti-Virus/Anti-Spyware and Phishing-Filters in one way or another. Unfortunately the bad guys learn how to circumvent there as well and hence, they become less efficient:
  • URL-Filters lose their importance if the attackers start to use malware and/or local webpages. Having this said, it is important to stress that there are still a lot of attacks using classical webpages and therefore the Phishing Filter has to stay but most probably additional functionality has to be built in. The question is: The more we build in there, how do we distinguish between malware-sites and the censoring of the Internet?
  • We see targeted attacks. How do the AV-vendors react on this?

This actually leads me to some conclusive statements:

• No one can solve this problem alone: The bad guys are working together as well – so will we!
• Therefore there is a huge need for personal networks! We have to know each other and trust each other. This is the only way to achieve the collaboration
• New approaches are needed. Most often, targeted malware does not make the cut for AV-vendors to include them into their signatures quickly – but this is what we need. If there is malware been built to target one single bank, this bank has to be able to let the AV-vendors include this malware into their signatures fast.

Finally, let's just do it

Roger

ITU just launched a pretty interesting portal: If you were ever looking for a standard in the security space (not only ITU standards) go and see this portal:

ICT Security Standards Roadmap

Roger

I recently purchased a PC for my parents and then started to install it – well actually used the OEM installation to get it up and running with Windows Vista Home Premium. I was pretty surprised how easy it was to actually have a running system (I usually re-format the disk if I have to install a PC for myself). But then I had a deeper look at the installation base and was pretty surprised. There were a gazillion of products installed on the PC I never wanted.

So I started to think about security of this setup. If I am looking back to earlier versions of our Operating System, one of the key problems with the earlier versions was that we enabled everything we thought a user could ever use. Remember Code Red? It actually attacked our web server and spread incredibly fast – on File Servers, Print Servers, any other server (sometimes it even hits a web server)… IIS was installed by default and the users and the administrators were not even aware of having IIS on the box – and mostly did not update it at all. We changed heavily and went down the "Secure by Default" road.

Taking this back to the OEM installation above, we (being the industry) just do a big step back to the old days. Why do I have to have a dictionary, train schedule, etc. to be installed by default? Who is taking care of these applications and makes sure that they will be properly managed and updated? Why is a AV-solution forced on my PC (yes, I want one but I want to have choice)?

Personally I think OEM have to change the way a PC is set up. When I buy a box with Windows Vista on it, I would expect a screen that shows me all the tools that I could actually get during the setup. I will then pick and choose and the machine will be installed. We could finally argue about opt-in and opt-out. I hate those installers where I have to tell them between one and three times that I really do not want to have toolbar X installed on my computer (yes, I know, we have these kind of tools as well). I would expect the OEM to take their responsibility and ship a secure-by-default PC. Some of them even disable security functions…

Coming back to my story above: The first thing I had to do after the successful installation of the PC is to de-install all the non-wanted software and update mechanism for all the active components and printer drivers and …. At the end it still left a bad feeling as I am not sure whether I actually really de-installed everything and no vulnerable component I will never use is still on the box…

Roger

Jeff just posted his next version of the Windows Vista Vulnerability report to his blog. He is now looking at the first six months of Windows Vista and how the vulnerabilities developed compared to Windows XP and some other Operating Systems.

Happy reading: http://blogs.csoonline.com/windows_vista_6_month_vulnerability_report

Roger