Bill’s Security Blog

From the eWeek Security blog:

Microsoft Office Under Siege

News Analysis: Attackers and flaw finders are pounding away at Microsoft Office applications, discovering new ways to attack millions of Windows machines. Can Microsoft cope with the deluge of flaws?

What started as an amusing eBay listing of an Excel vulnerability for sale has developed into an all-out hacker assault on Microsoft Office applications.

Security researchers and malicious hackers have zeroed in on the desktop productivity suite, using specialized “fuzzing” tools to find a wide range of critical vulnerabilities in Word, Excel and PowerPoint file formats.

http://www.eweek.com/article2/0,1759,2002421,00.asp

Today I was installing Microsoft FrontPage on my work desktop.

After the installation it reminded me to check for Office updates.

I thought, no sweat. Our desktops run Windows Update daily. I didn’t think I’d have any updates to install and could get strait to work.

Boy was I wrong. Well, it seems that Office Update does not always talk to Windows Update. I had at least 4 critical security updates in Office!

How in the heck can that happen? This machine has been running Windows Update daily, as far as I know.

Perhaps I’m wrong. Perhaps there is some misconfiguration in my Windows Update, but could it possibly be that Windows Update does nothing but update kernel level software (IE, Windows Media Player, Microsoft Messenger, Windows OS, and other highly critical pieces of software (sarcasm))?

Schweet…

Bill

Good thing the integrated Windows Firewall supports ingress filtering. (sarcasm)

As reported on eWeeks’s Security blog:

Botnet Herders Attack MS06-040 Worm Hole

The first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets.

The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker, according to early warnings from anti-virus vendors.

http://www.eweek.com/article2/0,1759,2002966,00.asp

The day after the discovery of a terrorist plot to hijak 9 planes bound for the US, the Department of Homeland Security issued the following decree. This is from a printed flier I obtained while dropping off a friend at DCA:

The most obvious issue here is the exception. As with most things in the security arena, the exception becomes the rule.

You can’t have liquids, but then you can. OMG WTF. That’s security!

Ok… So all I have to do is put my malware in a prescription bottle. Umm… Ok.

So, we inconvenience hundreds of thousands innocent travelers when the evildoers are not thwarted.

This is useless security.

I could continue on a tirade against DHS (aka, Department of Hilarious Security), but I’ll let your mind wander here.

I have a vision. Within 5 years, after arriving at the gate, passengers will be required to remove all clothing, place it into a bag with their carry-on to be stowed beneath the aircraft. No food will be served, there will be no movies, no object will be in the cabin that isn’t bolted to the aircraft.

Surely this is obvious extension of what DHS is doing now. The result, terrorists get a job in baggage, and place timed devices on the aircraft…

There are few targets that can be sufficiently hardened to thwart terrorist attack… Once one is hardened, the terrorists will simply pick an easier target.

DHS is a waste of my tax dollars. I’d gladly replace all of DHS-TS with 10 Israli security forces personnel randomly placed at ingress points.

Bill

On August 7, eWeek Security reported the following:

Chemical Industry Giants Zone in on Cyber-Security
…”CIOs at leading chemical companies know how important security, both physical and cyber, is within our industry. And we believe that the industry as a whole has much to gain by sharing security information and practices,” said Neil Hersh-field, director of the CSCSP and cyber-security director at Dow, in Midland, Mich….

http://www.eweek.com/article2/0,1759,1998047,00.asp

I believe sector based initiatives like this one are a good thing. The article goes into some detail describing the similarities in security requirements for all players in the chemical industry.

Their arguments can be applied to most industries. Collaboration helps distribute the cost and effort involved in coming up with best practices. It can reduce exposure to Federal regulation, and it can enable the industry to achieve a level of security across the board that might not be attainable by a single company’s effort.

But there are some caveats. We’ve all watched excellent effort in standardization fail when a big player pulls out of the talks because they aren’t getting what they want.

Success here may be best achieved by a representative group of the industry working to find a true set of best practices and wrapping them up in a standard, with a certification and recertification practice. This would be analogous to what we have with the American Bar Association.

Companies that do not want to take part risk the stigma of not receiving a certification. Then we just have to tie some sort of incentive to being certified. How do we convince a manufacturer that using an uncertified chemical supplier is detrimental?

The economist in me can only dream. The optimist would really like to see significant cooperation in different industrial sectors to achieve high standards for security.

Bill

Meet Joanna Rutkowska. She is a security researcher focusing on operating system level security. She has created the Blue Pill.

The Blue Pill takes advantage of virtualization capability built into the processor, and can move a running OS into a virtual machine without reboot or other interruption.

To date, her concept is 100% undetectable. She goes into details about how the virtualization subsystem can subvert timing analysis.

Beyond the Blue Pill, she has many research papers that will be of interest in system level security folks.

To find out more, and to stay on top of this amazing woman’s developments, visit:
http://theinvisiblethings.blogspot.com/
and
http://invisiblethings.org/

Bill

Roger and I graduate from the JMU Infosec Master’s degree program. Roger maintains a blog that you should add to your favorites.

RSS and ATOM feeds available…

Good to see you again, Roger!

Just look at that headline from the eWeek article I linked to in my previous post…!
( http://www.eweek.com/article2/0,1895,1779769,00.asp )

Man, you’d think Microsoft was on K street, DC, not in Redmond, WA.

Hypothetically, training your software engineers and developers on how to write secure code is a good thing. Hypothetically, man can travel at the speed of light. Fact of the matter is that Microsoft can’t solve the security problem. Microsoft is its own worst enemy when it comes to solving the security problem.

Einstein said, “you cannot solve a problem with the same level of intelligence that created it.”

Software engineering groups that are serious about developing flawless software adopt this philosophy. They do this through such independent certification processes such as the SEI-CMM. For more details, see: http://www.sei.cmu.edu/

First thing’s first. Microsoft needs to develop an organizational structure and work flow that promotes excellence in software engineering. Once it has obtained some reasonable level of capability to write good software, it can then begin to eliminate software flaws in a measurable, predictable way.

Claiming victory because a barely used OS (Windows Server 2003) doesn’t have many reported flaws is just plain ABSURD. As a security researcher, I’m fond of asking, “How do you know you haven’t been compromised?” or “How do you know there are no flaws.”

Just because you don’t see them does not mean they are not there.

What’s worse, how on earth can I trust Microsoft to accurately assess or report on the changes it’s seeing? I can’t.

Success will be believable when independent analysis confirms that they have accomplished something, anything…

Until then, I think it’s status-quo in Redmond.

Bill

As reported on eWeek:

LAS VEGAS—Remember the LSD—or Last Stage of Delirium—hacking group?
Back in 2003, the group of four Polish security researchers discovered the RPC (Remote Procedure Call) interface vulnerability that would later be used to unleash the Blaster worm, but because of distrust over Microsoft’s willingness to address software flaws at the time, LSD members had to be coaxed into sharing their findings.
Today, LSD is on Microsoft’s payroll, working on what is being hailed as the “largest ever penetration test” of an operating system coming out of Redmond, Wash.

http://www.eweek.com/article2/0,1895,1999070,00.asp

Earlier I wrote how Microsoft gives more lip service to security than they give effort.

Will hiring a hacker group really solve Microsoft’s security problem?

Yes and no. If done right, perhaps, if done wrong, then definitely not.

First, the groups hired must be able to report openly after the testing phase is over. Meaning, they must not be under any obligation to Microsoft to report future bugs to Microsoft only.

Second, the groups must be given unrestricted access to attack the system through any means possible. IE, a group must not get the mandate: “attempt to use Word to escalate privilege…” The goal should be, “given local login access, attempt to gain Administrator or System privileges.”

Groups must also not be on an arbitrary deadline. They must be able to take as long as they want to attempt a break in.

Beyond the restrictions on the attackers, my biggest concern is not what they discover, but what Microsoft does with that discovery.

To this day, buffer overflows are still being discovered in Microsoft software that is years old. How on earth can I expect that they will actually solve the problems that are identified in pen testing?

Long and short, I cant. Unless Microsoft is willing to open the source of it’s kernel, I will assume that it contains flaws. Even if pen testers don’t find them, or those very few researchers given access to the code don’t find them, the Windows kernel is one patch away from a vulnerability.

The eWeek article mentions an initiative at Microsoft titled it’s “Trustworthy Computing Security Development Lifecycle” [insert pleather here]. For the eWeek story, see http://www.eweek.com/article2/0,1895,1779769,00.asp

I’ll look into this some more. I suspect that this is more lip service.

Bill