Bill’s Security Blog

Micro$oft’s most secure OS (since it’s last “most secure OS”).

If this bug is legit, then it proves that Microsoft is more worried about the appearance of security than security itself.

Can I get an “input validation!”

From Full Disclosure:
Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability

From: Kingcope
Date: Fri, 23 Mar 2007 08:52:09 +0100

Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability
Successfully Tested on Windows Vista Ultimate

Greetings fly out to Alex,wtfomg,Thierry,Andi and Blackzero

Description
Windows Mail is the default Mail Client of Microsoft Windows Vista.

Vulnerability
Remote Code Execution is possible if a user clicks on a malicious prepared link.

Vistas Mail Client will execute any executable file if a folder exists with the same name.

For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking.

There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd (and also a folder named winrm inside System32).

Exploit:
Send a HTML email message containing the URL:
<a href=”c:/windows/system32/winrm?”>Click here!
or
<a href=”c:/windows/system32/migwiz?”>Click here!
and winrm.cmd/migwiz.exe gets executed without asking for permission.
These are just examples.

Later posts indicate that UNC paths work as well, but require an acknowledgment from the user.

After a few days of using Vista, users will be “ok” happy on any alert box.

In setting up a Vista box for a friend, I was particularly concerned about having to click “ok” THREE times to delete ONE file!

PWNT by the M$FT man.

Bill

Security systems are hard to implement.

The currently disclosed vulnerability that exists in applications using GnuPG illustrates what is referred to as the “secure composition” problem.

The secure composition problem states that you cannot be guaranteed a secure system composed of multiple, independently secure applications.

IE, if A is secure, and B is secure, if C = A + B, then C is not necessarily secure…

Here’s a great, detailed explanation of the flaw.  Understanding the 4 attack vectors will help illustrate the complexity of building secure systems…

By Core Security Technologies:
CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability

Bill Gross

A few snips from John Dunn’s article on Techworld:

A new test of anti-malware programs has found that Microsoft’s OneCare software is by some margin the weakest product on the market.

OneCare was only able to detect an average of 82.4 percent of what was thrown at it. To put this into context, the next worse program, Dr Web, scored 89.27 percent…

AV Comparatives also tested each program against a sample of polymorphic viruses…

Again, OneCare scored weakly, detecting only 4 out of the 12 polymorphics pitted against it.

The article also links to another article describing Microsoft Defender’s abysmal performance, detecting less than half the malware tested.

Though I’ve talked in the past about the impracticality of letting the fox build the hen house, I’ll talk a little further about incentives.

Bruce Schneier discusses the economic incentives for corporations by looking at economics and externalities.

What is the economic incentive for Microsoft to perform well in the security arena?

None.

• Microsoft is not liable, legally or financially for compromises of its poorly written software.
• Microsoft has a huge stake in giving the appearance of security.  Real or not.  People “want” to see that Microsoft is doing something.  If it looks like they are doing something, people will not look to alternatives.
• Microsoft has to combat the (ill-gained) notion that Mac’s are more secure.  Apple threatens Microsoft’s bottom line.

Microsoft has turned into a Goliath.  Like a huge government that has exceeded it’s ability to provide services in a fiscally reasonable manner.

This reminds me of some economics classes I took as an undergrad that focused on the role of government in the economies of developing countries.

There are some thing that government can do, but there are others that government cannot do effectively.

For example.  One of the best things government can do to allow for rapid economic growth is to provide stable critical infrastructure:

• roads, railways, and shipping ports
• a stable electrical grid
• laws and regulations creating a “fair” environment for contract creation, negotiation, and disput resolution
• patent and trademark systems to protect the brand and intellectual property

Private sector companies can provide much of the rest.

When government steps outside those bounds, it begins assuming responsibility for things it cannot satisfactorily provide.

When a company gets to the point that there is no fair competition, they operate like a government that has exceeded its economically reasonable mandate (think a huge socialist government).  The company becomes incapable of providing a service at a level of quality or cost that can be expected from the private sector.

This is what has happened at Microsoft.

They cannot provide security mechanisms better than the free market.

I’ve often thought that the best thing that could have happened to Microsoft during it’s anti-trust case was for the company to be broken down into several smaller companies, each of which would have to compete in the open market.

A new company, “Microsoft Security” could provide Defender, OneCare, and whatever other tools and resources it thought necessary.

Then those products could compete against other vendors for purchasing power in the market.

To get back to the point where they are producing truly innovative products, they need to get down to right-size.

If Microsoft wants to be successful in the coming decade, they must split up and compete in the market.  The core OS could provide the critical infrastructure.  Other Microsoft branded companies can provide the applications in a manner competitive in the market.  Let them fight for it!  We’ll get better products.

In the meantime smaller, more nimble and innovative companies (read, starving) will come along and produce products that will constantly nibble Microsoft’s bottom line.  Like a million piranhas working on a poor water buffalo attempting a river crossing in the Amazon.

Maybe the buffalo makes it.  My money is on the piranhas.

Bill

Britain has not chosen to have RF shielding added to their passports, and the result is devastating.

The article linked below describes how the information stored on the RFID card can be read by just about anyone.

Other weaknesses in the system of creating and delivering passports are also identified.

This article raises a series of good points.

Suppose it is possible to implement a truly secure RFID passport scheme. That scheme must consider more than the passport itself, but everything that could ever happen to the passport:

• delivery mechanisms
• access to apply, receive, use a passport
• direct, physical brute force attacks against a passport
• blah blah blah.

Basically, you’d need to consider the full scope of physical and technological security paradigms.

Just pondering the types of questions I’d want considered if I was in charge of making decisions about implementing an RFID enabled access control system:

1. Is there any possibility that a perfectly determined, highly funded attacker can fake this system?
2. If we can produce such a device, will staff rely too heavily in the technology and abandon traditional gut-level trust/lack of trust in the holder?
3. If a device is compromised, what are the costs to the holder, or to the organization as a whole?
4. Given 1, 2, 3, is it worth the cost to implement?

In my head, a passport is just like any physical or virtual access device, similar to:

• an RSA passcode device
• a session ID stored in a browser
• a key for the lock in my office door.
• a password on a sticky under my keyboard.

A single access device can and will be compromised.

To raise the stakes, we must make it more challenging to compromise the system based on the compromise of one or more of its access devices.

How about 2 factor authentication?

Suppose the passport agency holds a retinal scan, or thumb print database of the legal passport holders?

A passport coupled with a thumb print scan performed at the embarkation/debarkation point is slightly more secure (I say slightly because the passport should always be assumed to be forged, since anyone can do it.)

In any event. RFID passports is the government saying, “look, we are doing something good.”

The problem is people like me. We see them saying, “look, we are spending millions on something that is useless, allows easier access for attackers, and provides 1-stop shopping for someone wishing to steal your identity!”

Sweet.

Please read the article from “This is London”

Bill

Snip from:
http://www.infoworld.com/article/07/02/27/HNioactiverfid_1.html

By Paul F. Roberts
February 27, 2007

A planned talk on RFID security by a security researcher has been pulled from this week’s Black Hat Federal security conference after secure card maker HID claimed the talk violated the company’s patent rights and threatened to take legal action against Chris Paget, the researcher, and IOActive, Paget’s employer, if the talk went forward.

The company decided to cancel the talk after all-night negotiations with HID collapsed, said Josh Pennell, CEO of IOActive. In response, Black Hat organizers were forced to tear materials out of printed show proceedings and will instead present a discussion by a representative of the ACLU on the criticality of RFID security, said Jeff Moss, founder and director of Black Hat.

We’ve seen this before.

Sad.  Truly sad.

Though I think HID has a right to try to protect it’s brand, the fact of the matter is that attacks against RFID are pretty much vendor neutral.

In any event.  The sad reality for HID is that this incident alone will be enough to draw the attention of researchers who are not subject to threat under US patent law.

RFID vendors are scared out of their minds about this kind of information getting out because there is very little that can be done to secure RFID systems.

Companies like HID are making millions selling these chips as cure-alls, when the best they can be is one (small, fragile) link in the chain of defense in depth.

Bill

Fellow Bloggers;

I want to put a shout out in the blogosphere.

One of our own, Abdelkareem Nabil Soliman (Kareem), is in prison as we speak.  His crime?  Using his blog to express his personal views to the world.  Views that did not follow the “party line” in Egypt.

Kareem’s prosecutor has exclaimed that he intends to wage jihad against ‘the likes of Kareem.’

Help right this tragedy!

Read about his plight, and more importantly, GET INVOLVED at freekareem.org

Bill Gross