Bill’s Security Blog

US-CERT reports on 7/11:

Microsoft DHCP Client service contains a buffer overflow
Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.

Details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372

Holy sweet jesus.

Look at the systems affected:

• Microsoft Windows 2000 SP4
• Windows XP SP1 and SP2
• Windows Server 2003 up to SP1

DHCP client probably runs actively on just about every home PC, and a large number of business PCs.

What distresses me most is that for the upcoming Windows Vista, Microsoft revamped their implementation of the entire TCP/IP protocol stack.

If Microsoft could let such an obvious and novice bug persist in the code since Windows 2000 SP4, how on earth can we trust that their rewrite of the protocol stack will be bug free?

The fact that this bug has persisted for so many years is negligence on Microsoft’s part.

In all likelihood, the DHCP client is written in C or C++. There are automated tools that can detect buffer overflows in both those languages.

Microsoft’s commitment to security seems to be focused more on publicity than results.

Bill

As reported in Sans NewsBites from July 18:

The House Veterans Affairs Committee is pushing forward a new bill that would make the VA CIO an Undersecretary, giving him status equal to the other departmental leaders. It also creates another position, Undersecretary for Information Security. Additionally, it details response to data breaches, risk analysis and notification and credit monitoring services for those affected.

I imagine this kind of response is a common reaction to data security concerns. Create a CSO, or elevate the responsibility of the CIO, and make them responsible for “fixing the problem.”

The problem isn’t a security issue, it’s a mismanagement problem.

The objectives of the organization must justify the application of security. Security is only one tool an organization must use to achieve its identified business objectives. Security must be seen not as a feature that must be provided by IT, it must be seen as a key requirement for an organization to achieve its strategic mission.

A key business objective of the VA, as with any health organization, is to protect the medical and personal information of its patients. This objective can only be achieved through the proper application of processes and procedures. Technology can be an enabler here.

Instead many organizations take the opposite approach. “We need encryption to protect our user information.” This is insufficient. It applies a band-aid to a problem. It’s installing a gate, but failing to erect the fence.

Businesses must understand the implications to their bottom lines of improper business policies and procedures. Risks to key business objectives must be identified. For each risk, threats must be analyzed and decomposed. Policies and procedures, coupled with application of technology can help the company achieve a satisfactory level of mitigation.

Solve the problem, and put the band-aids away.

Bill

In Sans NewsBites from 17 July:

Microsoft has “pulled” Private Folder 1.0, a Windows add-on. The free software allowed users to protect folders with passwords; the purpose of the software is to help people who share PCs protect their data from others who use the same computer. The software was available to users participating in Microsoft’s Windows Genuine Advantage software verification program. Corporate users complained the software could create situations in which company data would be inaccessible to those who need it.

As I pointed out previously, I think this will be a trend going forward. (As it has been in the past).

Microsoft delivers “their most secure operating system, ever,” but when business users complain about the features, the feature is removed, or disabled.

Security must be simple, or users will find ways of circumventing it.

Microsoft EFS is not overly challenging to set up, and allows decryption by a pre-specified authorized agent.

Instead of removing a feature good for home users who may not care about data recovery agents, Microsoft opts to yank the whole feature.

I’d have liked to see a different approach.

Bill

Microsoft had designed one of the Vista releases to prevent ActiveX installs for non-administrative users.

What a great idea. No more inadvertent installs of malicious ActiveX controls.

But bowing to pressure from beta testers, Microsoft will be releasing a feature allowing non-administrators to install ActiveX controls.

This is scary for two reasons:

First, ActiveX is a paradigm fraught with security problems. Restricting ActiveX controls to only install if on a white list, or to run only with user context is of little value as attackers will find ways of circumventing these restrictions. Additionally, I suspect most SMB’s have users set up as local administrators…

Second, and perhaps more scary. Microsoft has set the precedence that they are willing to roll back security enhancements in Vista when customers complain.

Where will this end?

Based on reports of the overwhelming challenges and dialogue confirmations Vista places in front of the system user, I suspect that the rollbacks will continue until Vista reverts to Windows XP but with significantly higher resource requirements.

Sadly, I believe that the end game here is that businesses will start installing Linux, or purchasing Macs.

In the very long term, this may be good for Microsoft. Starvation might be just what’s needed for Microsoft to get its head back in the game.

Bill

So, Microsoft will be doing a track at Black Hat this August.

I guess their goal is to show off the security enhancements in the Vista product line.

I suspect they are laying the groundwork with security researchers. Show off their wares. Placate and get buy-in.

I have no reason to believe that Vista will be any more secure than XP.

The size of the operating system coupled with the fact that the vast majority of Windows flaws are simple buffer overflow attacks point to an equally insecure operating system.

If Microsoft wants to build a secure OS, they need to build a small OS.

It’s much easier to secure 1 million lines of code than 140 million…

Microsoft loves to build functionality into the core. Integration of software is great, but it leads to complexity. Complexity leads to insecurity.

I honestly believe that if the courts had forced Microsoft to split into multiple companies, security would have vastly increased.

There is no guarantee that each company would create secure code, but if the OS developers were only responsible for writing a secure OS, then we might not see simple buffer overflows from Internet Explorer from leading to system level access to the box.

Disjoined (loosely coupled) software would be developed, allowing users to choose what they want to install. Smaller install = smaller attack surface = increased security.

I point to OpenBSD here. Highly secure kernel. But no guarantee on the security of installed application’s. Don’t see to many PWNED OpenBSD boxes because of a flawed browser install…

Bill

The July 17th issue of eWeek gives a discussion of a new tool by Websense Security Labs. This tool integrates with the Google API to query the Google index for malicious software in sites of interested.

An interesting idea. Apparently, Google will index anything on a site, including executables. With executables, at least with Windows PE format exe’s, it indexes the ASCII strings from the executable.

You can, then, search for malware provided you know what the ASCII strings are within the executable. Websense must be updating some type of definition file with strings known to be in malware.

Naturally, if a hacker finds a site that is infected they can use those sites as repositories, remotely accessing the file without need to host it on a site that can be easily tracked to them.

Has anyone had success querying Google for any infected sites?

For more information, see Websense: http://www.websense.com/global/en/

Bill

From SANS NewsBites

Study Finds Popular eVoting Machines Susceptible to Fraud (27 June 2006)
A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November. Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail.
http://news.com.com/2102-7348_3-6088464.html?tag=st.util.print

I wonder what the nature of the auditing is?

Voting systems must verify that each person can only vote once, but there must be no way to tie a voter to his/her ballot.

This poses many interesting auditing issues.

Mix-nets can help, but I don’t expect to see that kind of thing anytime soon.

I remember studying a scheme in a class I took where individuals would receive a coupon which could be used in conjunction with a sister coupon to verify that a vote actually counted in a final tally.

I’ll have to look that up again.

Electronic voting has a long way to go before I’ll trust it.

With paper balloting, we have several advantages:

• It’s a system that’s been conducted for centuries, and lots of auditing can take place at each step of the process.
• Error rates in tallying can be quantified, and, hopefully, are identical across all voting populations.

With voting, the perception of security is important to voters. A black box with some cute touch-screen does not feel as secure as something they can pick up, hold, and watch.

With electronic voting, the ability to swap millions of votes in the “ether” makes auditing much tougher. Voters hear about computer breaches every day on the news. Overcoming this stigma will make electronic voting tougher to mainstream.

That said, jurisdictions seem to be moving full steam ahead with adopting electronic voting machines, despite the overwhelming evidence of their insecurity.

Last time I voted in Maryland, I told the polling official that I had evidence that the voting machines they were using were susceptible to fraud. They kindly informed me that I cold fill out a paper ballot, but that my vote would only be counted in the event of a run-off election.

Good job, Maryland!

Bill

As reported in SANS NewsBites:

Study: Some IT Directors Using Live Data for Application Testing and Development (4 July 2006)
A study has found that of 100 UK IT directors, 44 percent use real customer data when testing and developing applications in violation of the Data Protection Act (DPA). The DPA’s second principle prohibits the use of customer data for any “purposes other than those for which it was collected.” Eighty-six percent of those surveyed said their companies sent customer data offshore protected only by a non-disclosure agreement.
http://management.silicon.com/government/0,39024852,39160080,00.htm

What’s really disturbing is that you may have no idea that this company even has your data.

Suppose this organization obtained your information via purchase from some other organization. This frequently happens as credit card companies trove for potential new customers. Ever wonder why you suddenly start getting credit offers from a company you’ve never heard of?

Next, this company, unbeknownst to you ships your data off to another organization for this sort of testing.

Your data has been bought, sold, and hand delivered to an organization that, for all intent and purposes, hasn’t a care in the world for that data’s secrecy.

All it takes is some disgruntled or profiteering soul in some off-shore development firm to take that data and sell it for personal gain.

How could companies skirt the issue here?

In order to comply with the DPA, would all they have to do is amend their privacy statement with the phrase “and to test enhancements to our systems?”

How many times have I read a site’s privacy statement?

And, if a company buys my info from someone else, what constitutes “purposes other than those for which it was collected?”

Good privacy laws are important, but I’m unsure of whether or not they can be effectively legislated and enforced.

Particularly here in the United States, where two situations thwart good privacy law:

1. Individuals are not well organized, institutions that use your data are.
2. Organizations that stand the most to loose have nearly limitless funds that they can expend “influencing the public process.”

The goal of privacy enforcing laws such as the DPA should ensure that the individual is in complete control of all information about themselves.

After all, my name is MY name.

Bill

SANS Newsbites reports:

Breaches Point to Problems with FISMA (12 June 2006)
Some observers are hopeful that recent data security breaches at US government agencies could prompt changes to the Federal Information Security Management Act (FISMA). They say FISMA certification and accreditation requirements consume large portions of IT budgets, leaving the actual implementation of security measures under-funded. The OMB has given no indication that FISMA will be amended.

This is an interesting issue.

One the one hand, a recognized certification process can be a good thing. Organizations that have achieved the certification have, presumably, reached a quantifiable level of achievement.

You expect a certain level of excellence, for example, from an ISO 9001 certified organization, of CMMI Level 5 certified software development firm.

But there is a dark side.

Certification and recertification processes require significant overhead. In a resource constrained organization simply putting forth the effort to achieve and maintain a certification may leave little resources to actually perform their duties!

I try to bring this home by thinking about my local mom-and-pop bagel shop. Suppose we introduce a “bagel quality certification.” Shops not meeting the standard will be heavily taxed, and may not receive permits allowing them to operate.

I can imagine that even in an event where the certification requirements were low, this would place a significant burden on the shop…

The same could be true for governmental organizations that FISMA governs. But only to an extent. Eventually just about every governmental organization will be able to increase funding to meet the mandate. This, in turn, invariably leads to higher taxes, which, in the very long run, reduces the number of patrons to my favorite mom-and-pop bagel shop…

I won’t get started on the economics here, but the point is clear. Certification systems are great. Legislated performance is great. Both must provide a path to increased value that exceeds the cost of implementation. Otherwise something will invariably suffer. Quality, innovation, service… Something will give.

Bill

Looking over this week’s US-CERT Vulnerability Summary, it reminds me why we shouldn’t put all our eggs in one basket.

There are numerous vulnerabilities in security products! Sweet.

This reminds me of when a colleague PWNED a server of mine by trojaning Symmantec’s updater! Imagine that. Antivirus trojaned…

Defense in depth is key. Have redundancy where needed. And don’t believe the marketing hype.

The swath of SQL injection vulnerabilities I can handle. Much of that code is written by users who have no interest in secure software.

Security product vendors have much more to loose. Who’s going to buy a product from a vendor with a seriously weak security history?

Perhaps that’s why Microsoft’s tools are free…

Bill