Bill’s Security Blog

Good thing the integrated Windows Firewall supports ingress filtering. (sarcasm)

As reported on eWeeks’s Security blog:

Botnet Herders Attack MS06-040 Worm Hole

The first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets.

The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker, according to early warnings from anti-virus vendors.

http://www.eweek.com/article2/0,1759,2002966,00.asp

The day after the discovery of a terrorist plot to hijak 9 planes bound for the US, the Department of Homeland Security issued the following decree. This is from a printed flier I obtained while dropping off a friend at DCA:

The most obvious issue here is the exception. As with most things in the security arena, the exception becomes the rule.

You can’t have liquids, but then you can. OMG WTF. That’s security!

Ok… So all I have to do is put my malware in a prescription bottle. Umm… Ok.

So, we inconvenience hundreds of thousands innocent travelers when the evildoers are not thwarted.

This is useless security.

I could continue on a tirade against DHS (aka, Department of Hilarious Security), but I’ll let your mind wander here.

I have a vision. Within 5 years, after arriving at the gate, passengers will be required to remove all clothing, place it into a bag with their carry-on to be stowed beneath the aircraft. No food will be served, there will be no movies, no object will be in the cabin that isn’t bolted to the aircraft.

Surely this is obvious extension of what DHS is doing now. The result, terrorists get a job in baggage, and place timed devices on the aircraft…

There are few targets that can be sufficiently hardened to thwart terrorist attack… Once one is hardened, the terrorists will simply pick an easier target.

DHS is a waste of my tax dollars. I’d gladly replace all of DHS-TS with 10 Israli security forces personnel randomly placed at ingress points.

Bill

On August 7, eWeek Security reported the following:

Chemical Industry Giants Zone in on Cyber-Security
…”CIOs at leading chemical companies know how important security, both physical and cyber, is within our industry. And we believe that the industry as a whole has much to gain by sharing security information and practices,” said Neil Hersh-field, director of the CSCSP and cyber-security director at Dow, in Midland, Mich….

http://www.eweek.com/article2/0,1759,1998047,00.asp

I believe sector based initiatives like this one are a good thing. The article goes into some detail describing the similarities in security requirements for all players in the chemical industry.

Their arguments can be applied to most industries. Collaboration helps distribute the cost and effort involved in coming up with best practices. It can reduce exposure to Federal regulation, and it can enable the industry to achieve a level of security across the board that might not be attainable by a single company’s effort.

But there are some caveats. We’ve all watched excellent effort in standardization fail when a big player pulls out of the talks because they aren’t getting what they want.

Success here may be best achieved by a representative group of the industry working to find a true set of best practices and wrapping them up in a standard, with a certification and recertification practice. This would be analogous to what we have with the American Bar Association.

Companies that do not want to take part risk the stigma of not receiving a certification. Then we just have to tie some sort of incentive to being certified. How do we convince a manufacturer that using an uncertified chemical supplier is detrimental?

The economist in me can only dream. The optimist would really like to see significant cooperation in different industrial sectors to achieve high standards for security.

Bill

Meet Joanna Rutkowska. She is a security researcher focusing on operating system level security. She has created the Blue Pill.

The Blue Pill takes advantage of virtualization capability built into the processor, and can move a running OS into a virtual machine without reboot or other interruption.

To date, her concept is 100% undetectable. She goes into details about how the virtualization subsystem can subvert timing analysis.

Beyond the Blue Pill, she has many research papers that will be of interest in system level security folks.

To find out more, and to stay on top of this amazing woman’s developments, visit:
http://theinvisiblethings.blogspot.com/
and
http://invisiblethings.org/

Bill

Roger and I graduate from the JMU Infosec Master’s degree program. Roger maintains a blog that you should add to your favorites.

RSS and ATOM feeds available…

Good to see you again, Roger!

Just look at that headline from the eWeek article I linked to in my previous post…!
( http://www.eweek.com/article2/0,1895,1779769,00.asp )

Man, you’d think Microsoft was on K street, DC, not in Redmond, WA.

Hypothetically, training your software engineers and developers on how to write secure code is a good thing. Hypothetically, man can travel at the speed of light. Fact of the matter is that Microsoft can’t solve the security problem. Microsoft is its own worst enemy when it comes to solving the security problem.

Einstein said, “you cannot solve a problem with the same level of intelligence that created it.”

Software engineering groups that are serious about developing flawless software adopt this philosophy. They do this through such independent certification processes such as the SEI-CMM. For more details, see: http://www.sei.cmu.edu/

First thing’s first. Microsoft needs to develop an organizational structure and work flow that promotes excellence in software engineering. Once it has obtained some reasonable level of capability to write good software, it can then begin to eliminate software flaws in a measurable, predictable way.

Claiming victory because a barely used OS (Windows Server 2003) doesn’t have many reported flaws is just plain ABSURD. As a security researcher, I’m fond of asking, “How do you know you haven’t been compromised?” or “How do you know there are no flaws.”

Just because you don’t see them does not mean they are not there.

What’s worse, how on earth can I trust Microsoft to accurately assess or report on the changes it’s seeing? I can’t.

Success will be believable when independent analysis confirms that they have accomplished something, anything…

Until then, I think it’s status-quo in Redmond.

Bill

As reported on eWeek:

LAS VEGAS—Remember the LSD—or Last Stage of Delirium—hacking group?
Back in 2003, the group of four Polish security researchers discovered the RPC (Remote Procedure Call) interface vulnerability that would later be used to unleash the Blaster worm, but because of distrust over Microsoft’s willingness to address software flaws at the time, LSD members had to be coaxed into sharing their findings.
Today, LSD is on Microsoft’s payroll, working on what is being hailed as the “largest ever penetration test” of an operating system coming out of Redmond, Wash.

http://www.eweek.com/article2/0,1895,1999070,00.asp

Earlier I wrote how Microsoft gives more lip service to security than they give effort.

Will hiring a hacker group really solve Microsoft’s security problem?

Yes and no. If done right, perhaps, if done wrong, then definitely not.

First, the groups hired must be able to report openly after the testing phase is over. Meaning, they must not be under any obligation to Microsoft to report future bugs to Microsoft only.

Second, the groups must be given unrestricted access to attack the system through any means possible. IE, a group must not get the mandate: “attempt to use Word to escalate privilege…” The goal should be, “given local login access, attempt to gain Administrator or System privileges.”

Groups must also not be on an arbitrary deadline. They must be able to take as long as they want to attempt a break in.

Beyond the restrictions on the attackers, my biggest concern is not what they discover, but what Microsoft does with that discovery.

To this day, buffer overflows are still being discovered in Microsoft software that is years old. How on earth can I expect that they will actually solve the problems that are identified in pen testing?

Long and short, I cant. Unless Microsoft is willing to open the source of it’s kernel, I will assume that it contains flaws. Even if pen testers don’t find them, or those very few researchers given access to the code don’t find them, the Windows kernel is one patch away from a vulnerability.

The eWeek article mentions an initiative at Microsoft titled it’s “Trustworthy Computing Security Development Lifecycle” [insert pleather here]. For the eWeek story, see http://www.eweek.com/article2/0,1895,1779769,00.asp

I’ll look into this some more. I suspect that this is more lip service.

Bill

US-CERT reports on 7/11:

Microsoft DHCP Client service contains a buffer overflow
Microsoft DHCP Client service contains a buffer overflow. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system.

Details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2372

Holy sweet jesus.

Look at the systems affected:

• Microsoft Windows 2000 SP4
• Windows XP SP1 and SP2
• Windows Server 2003 up to SP1

DHCP client probably runs actively on just about every home PC, and a large number of business PCs.

What distresses me most is that for the upcoming Windows Vista, Microsoft revamped their implementation of the entire TCP/IP protocol stack.

If Microsoft could let such an obvious and novice bug persist in the code since Windows 2000 SP4, how on earth can we trust that their rewrite of the protocol stack will be bug free?

The fact that this bug has persisted for so many years is negligence on Microsoft’s part.

In all likelihood, the DHCP client is written in C or C++. There are automated tools that can detect buffer overflows in both those languages.

Microsoft’s commitment to security seems to be focused more on publicity than results.

Bill

As reported in Sans NewsBites from July 18:

The House Veterans Affairs Committee is pushing forward a new bill that would make the VA CIO an Undersecretary, giving him status equal to the other departmental leaders. It also creates another position, Undersecretary for Information Security. Additionally, it details response to data breaches, risk analysis and notification and credit monitoring services for those affected.

I imagine this kind of response is a common reaction to data security concerns. Create a CSO, or elevate the responsibility of the CIO, and make them responsible for “fixing the problem.”

The problem isn’t a security issue, it’s a mismanagement problem.

The objectives of the organization must justify the application of security. Security is only one tool an organization must use to achieve its identified business objectives. Security must be seen not as a feature that must be provided by IT, it must be seen as a key requirement for an organization to achieve its strategic mission.

A key business objective of the VA, as with any health organization, is to protect the medical and personal information of its patients. This objective can only be achieved through the proper application of processes and procedures. Technology can be an enabler here.

Instead many organizations take the opposite approach. “We need encryption to protect our user information.” This is insufficient. It applies a band-aid to a problem. It’s installing a gate, but failing to erect the fence.

Businesses must understand the implications to their bottom lines of improper business policies and procedures. Risks to key business objectives must be identified. For each risk, threats must be analyzed and decomposed. Policies and procedures, coupled with application of technology can help the company achieve a satisfactory level of mitigation.

Solve the problem, and put the band-aids away.

Bill

In Sans NewsBites from 17 July:

Microsoft has “pulled” Private Folder 1.0, a Windows add-on. The free software allowed users to protect folders with passwords; the purpose of the software is to help people who share PCs protect their data from others who use the same computer. The software was available to users participating in Microsoft’s Windows Genuine Advantage software verification program. Corporate users complained the software could create situations in which company data would be inaccessible to those who need it.

As I pointed out previously, I think this will be a trend going forward. (As it has been in the past).

Microsoft delivers “their most secure operating system, ever,” but when business users complain about the features, the feature is removed, or disabled.

Security must be simple, or users will find ways of circumventing it.

Microsoft EFS is not overly challenging to set up, and allows decryption by a pre-specified authorized agent.

Instead of removing a feature good for home users who may not care about data recovery agents, Microsoft opts to yank the whole feature.

I’d have liked to see a different approach.

Bill