microsoft

Exploits used for corporate espionage

From Ryan Naraine’s “Microsoft Confirms Excel Zero-Day Attack Under Way” (eWeek: 16 June 2006):

Microsoft June 15 confirmed that a new, undocumented flaw in its widely used Excel spreadsheet program was being used in an attack against an unnamed target.

The company’s warning comes less than a month after a code-execution hole in Microsoft Word was exploited in what is described as a “super, super targeted attack” against business interests overseas.

The back-to-back zero-day attacks closely resemble each other and suggest that well-organized criminals are conducting corporate espionage using critical flaws purchased from underground hackers.

Exploits used for corporate espionage Read More »

Unix specs vs. Windows specs

From Peter Seebach’s Standards and specs: Not by UNIX alone (IBM developerWorks: 8 March 2006):

In the past 20 years, developers for “the same” desktop platform (“whatever Microsoft ships”) have been told that the API to target is (in this order):

* DOS
* Win16
* OS/2
* Win32
* WinNT
* WinXP
* and most recently .NET.

Of course, that list is from last year, and now the “stable” target that you should be developing for, if you have an eye for the future, is Vista.

It hasn’t been quite as bad in the Macintosh world, where the number of major API changes has been limited: classic single-tasking Mac OS, classic multitasking Mac OS (System 7), Carbon (System 8/9 and preview of OS X), and Cocoa (OS X), but even there, the cost of migration has been significant. At least OS X finally offers a stable UNIX API for the back-end part of programs, allowing developers to ignore the API creep except in GUI code.

By contrast, twenty-year-old UNIX utilities still compile and run. A new desktop computing API will come and everyone will have to rewrite for it, but mountains will erode away before read() and write() stop working. This is the reason that all the hassle of formal UNIX standards has had so little effect on practical UNIX software development; the core API is simple, clean, and well-designed, and there is no need to change it significantly.

… UNIX users have been switching hardware platforms since the 1970s; it’s no big deal. …

Just as there are many varieties of UNIX, there are many UNIX standards:

* Probably the oldest standard that people still refer to is AT&T’s 1985 System V Interface Definition (SVID). This standard shows up, for instance, in man pages describing the standards compliance of functions that have been in the C library “forever.”
* Meanwhile, X/Open (now the Open Group) was developing “portability guides” with names like XPG2, XPG3, and so on. XPG1 was actually released in 1995. The XPG guides are largely subsumed into newer specs, but once again, are still referred to sometimes in documentation.
* The IEEE’s POSIX standard showed up in 1990 with updates in 1992 and 1993 and a second edition in 1996. It’s still a viable standard, although it has suffered from poor accessibility. POSIX specs have names like 1003.x; for instance, 1003.1 and 1003.2, which refer to different parts of the standard, or 1003.1-1988 and 1003.1-1990, which refer to two versions of the standard.
* The fairly ominous sounding “Spec 1170” (also known as “UNIX 98” or “Single Unix Specification”) is probably the most complete specification; it is produced by the Open Group, and is effectively a descendant of the XPG series. In practice, this is “the” UNIX standard these days, although it’s a little large; this has had an impact on conformance testing.
* The Linux Standards Base is not strictly a UNIX standard, but it’s a standardization effort relevant to a very large number of developers working with code designed to run “on UNIX.” …

You can look at OS specifications in two very different ways: one is from the point of view of a developer trying to port an application, and the other is from the point of view of the user trying to interact with the system.

UNIX conveniently blurs this distinction. The primary user interface is also one of the primary development environments; therefore, UNIX specifications often cover not only the C language API, but also the shell environment and many of the core utilities shell programmers rely on. …

From the perspective of a developer who’s seen many Unix-like systems, Linux is probably mostly sort of similar to System V. The heavy focus on GNU utilities gives a sort of surreal combination of Berkeley and System V features, but if you have to guess whether Linux does something the Berkeley way or the System V way, go with System V. This is especially true of system startup; nearly all Linux systems use the System V /etc/inittab and /etc/rc.d structure, or something very close to it. …

Unix specs vs. Windows specs Read More »

Why Microsoft is threatened by open source

From How Microsoft played the patent card, and failed (The Register: 23 December 2004):

… the joint lead on the Samba project, Jeremy Allison …: “Microsoft has bought off and paid off every competitor it has, except open source. Every single player they could buy out, they did. That leaves Real, and FOSS. And they can’t buy us out, because you can’t buy off a social movement.”

Why Microsoft is threatened by open source Read More »

Search for Microsoft Money data files on P2P networks

From Greg Brooks’s more on DIY phishing kits hit the Net (Interesting People: 21 August 2004):

Turn on Kazaa or your p2p app of choice and search for .mny files — the data stores for Microsoft Money.

Most of these files won’t be password protected — just download, open and you’ve got a trove of personal financial data to work with. Stumble across a protected file? There are inexpensive utilities for recovering the password.

Search for Microsoft Money data files on P2P networks Read More »

Windows directory services

From David HM Spector’s Unfinished Business Part 2: Closing the Circle (LinuxDevCenter: 7 July 2003):

… an integrated enterprise directory service does give network managers a much greater ability to manage large-scale networks and resources from almost every perspective.

Unlike most UNIX systems, Windows environments are homogeneous. There are three modes of operation in terms of user and resource management in the Windows universe:

1. Stand-alone.
2. Domain membership through a domain controller.
3. Organizational-unit membership in an LDAP-based directory such as Active Directory (or via a third-party directory such as NDS, but those are declining as more organizations switch to AD). …

Three major pieces of software make up the bulk of what Active Directory does:

* LDAP, the Lightweight Directory Access Protocol.
* Kerberos, the authorization system originally developed as part of MIT Athena (later, the basis for the security components in OSF’s DME).
* A SQL database.

These components interact with the Windows APIs to deliver a one-stop repository for any attribute that can be used to describe a system, a service, a device, users, groups, a relationship, a policy, an authorization, or another relationship in a computing environment. …

LDAP in AD is used to manage:

* DNS addresses
* Workstation and server descriptions
* Printers
* Print queues
* Volume mappings
* Certificates
* Licenses
* Policies (such as ACLs, security policies, etc.)
* Groups
* Users
* Contacts

All of these data are stored in one unified system, which can be broken down relatively easily (with some major caveats) by physical location (site), division, organization unit, or department and workgroup, and managed in a distributed fashion. These data can be replicated for redundancy and performance purposes. All Windows APIs must operate within this system if they are to participate in the network and have access to its resources. Repository data is wrapped up by and authenticated through the use of Kerberos Tickets, which makes the system (again, general Windows caveats applied) secure. …

The most interesting part of this story is that 95% of the hard work has already been done! Microsoft didn’t invent totally new LDAP schemas to make Active Directory as comprehensive as it is — as usual, they embraced and extended the work of others. LDAP schemas already exist, and are publicly available to cover:

* Contact management: The InetOrgPerson schema
* IP Addresses, Users, Server/Workstation Info: The NIS schema
* Kerberos tickets: IETF Kerberos KDC schema

Of course, Microsoft’s own schemas are available for perusal on any Active Directory server (or, if you happen to have a Macintosh OS X box, look in /etc/openldap, for all of Microsoft’s schemas are there). …

Windows directory services Read More »

Unix vs Windows: NYC vs Celebration

From David HM Spector’s Unfinished Business Part 2: Closing the Circle (LinuxDevCenter: 7 July 2003):

The UNIX world is the result of natural evolution, not the outgrowth of a planned community. UNIX is a lot like New York City: dynamic, always reinventing itself, adapting to new needs and realities. Windows is a lot like Celebration, USA: static, a set piece of predictability, slow to provide new services and very resistant to change or difference of view or opinion.

Unix vs Windows: NYC vs Celebration Read More »

Virtual-machine based rootkits

From Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, & Jacob R. Lorch’s “SubVirt: Implementing malware with virtual machines
” [PDF] (: ):

We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat. …

A major goal of malware writers is control, by which we mean the ability of an attacker to monitor, intercept, and modify the state and actions of other software on the system. Controlling the system allows malware to remain invisible by lying to or disabling intrusion detection software.

Control of a system is determined by which side occupies the lower layer in the system. Lower layers can control upper layers because lower layers implement the abstractions upon which upper layers depend. For example, an operating system has complete control over an application’s view of memory because the operating system mediates access to physical memory through the abstraction of per-process address spaces. Thus, the side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders. If the defender’s security service occupies a lower layer than the malware, then that security service should be able to detect, contain, and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution.

Because of the greater control afforded by lower layers in the system, both security services and rootkits have evolved by migrating to these layers. Early rootkits simply replaced user-level programs, such as ps, with trojan horse programs that lied about which processes were running. These user-level rootkits were detected easily by user-level intrusion detection systems such as TripWire [29], and so rootkits moved into the operating system kernel. Kernel-level rootkits such as FU [16] hide malicious processes by modifying kernel data structures [12]. In response, intrusion detectors also moved to the kernel to check the integrity of the kernel’s data structures [11, 38]. Recently, researchers have sought to hide the memory footprint of malware from kernel-level detectors by modifying page protections and intercepting page faults [43]. To combat such techniques, future detectors may reset page protections and examine the code of the page-fault handler. …

Our project, which is called SubVirt, shows how attackers can use virtual-machine technology to address the limitations of current malware and rootkits. We show how attackers can install a virtual-machine monitor (VMM) underneath an existing operating system and use that VMM to host arbitrary malicious software. The resulting malware, which we call a virtual- machine based rootkit (VMBR), exercises qualitatively more control than current malware, supports general-purpose functionality, yet can completely hide all its state and activity from intrusion detection systems running in the target operating system and applications. …

A virtual-machine monitor is a powerful platform for malware. A VMBR moves the targeted system into a virtual machine then runs malware in the VMM or in a second virtual machine. The targeted system sees little to no difference in its memory space, disk space, or execution (depending on how completely the machine is virtualized). The VMM also isolates the malware’s state and events completely from those of the target system, so software in the target system cannot see or modify the malicious software. At the same time, the VMM can see all state and events in the target system, such as keystrokes, network packets, disk state, and memory state. A VMBR can observe and modify these states and events—without its own actions being observed—because it completely controls the virtual hardware presented to the operating system and applications. Finally, a VMBR provides a convenient platform for developing malicious services. A malicious service can benefit from all the conveniences of running in a separate, general-purpose operating system while remaining invisible to all intrusion detection software running in the targeted system. In addition, a malicious service can use virtual-machine introspection to understand the events and states taking place in the targeted system. …

In the overall structure of a VMBR, a VMBR runs beneath the existing (target) operating system and its applications (Figure 2). To accomplish this, a VMBR must insert itself beneath the target operating system and run the target OS as a guest. To insert itself beneath an existing system, a VMBR must manipulate the system boot sequence to ensure that the VMBR loads before the target operating system and applications. After the VMBR loads, it boots the target OS using the VMM. As a result, the target OS runs normally, but the VMBR sits silently beneath it.

To install a VMBR on a computer, an attacker must first gain access to the system with sufficient privileges to modify the system boot sequence. There are numerous ways an attacker can attain this privilege level. For example, an attacker could exploit a remote vulnerability, fool a user into installing malicious software, bribe an OEM or vendor, or corrupt a bootable CD-ROM or DVD image present on a peer-to-peer network. On many systems, an attacker who attains root or Administrator privileges can manipulate the system boot sequence. On other systems, an attacker must execute code in kernel mode to manipulate the boot sequence. We assume the attacker can run arbitrary code on the target system with root or Administrator privileges and can install kernel modules if needed. …

VMBRs use a separate attack OS to deploy malware that is invisible from the perspective of the target OS but is still easy to implement. None of the states or events of the attack OS are visible from within the target OS, so any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection.

We classify malicious services into three categories: those that need not interact with the target system at all, those that observe information about the target system, and those that intentionally perturb the execution of the target system. In the remainder of this section, we discuss how VMBRs support each class of service.

The first class of malicious service does not communicate with the target system. Examples of such services are spam relays, distributed denial-of-service zombies, and phishing web servers. A VMBR supports these services by allowing them to run in the attack OS. This provides the convenience of user-mode execution without exposing the malicious service to the target OS.

The second class of malicious service observes data or events from the target system. VMBRs enable stealthy logging of hardware-level data (e.g., keystrokes, network packets) by modifying the VMM’s device emulation software. This modification does not affect the virtual devices presented to the target OS. For example, a VMBR can log all network packets by modifying the VMM’s emulated network card. These modifications are invisible to the target OS because the interface to the network card does not change, but the VMBR can still record all network packets. …

The third class of malicious service deliberately modifies the execution of the target system. For example, a malicious service could modify network communication, delete e-mail messages, or change the execution of a target application. A VMBR can customize the VMM’s device emulation layer to modify hardware-level data. A VMBR can also modify data or execution within the target through virtual-machine introspection.

Using our proof-of-concept VMBRs, we developed four malicious services that represent a range of services a writer of malicious software may want to deploy. We implemented a phishing web server, a keystroke logger, a service that scans the target file system looking for sensitive files, and a defense countermeasure that defeats a current virtual-machine detector. …

To avoid being removed, a VMBR must protect its state by maintaining control of the system. As long as the VMBR controls the system, it can thwart any attempt by the target to modify the VMBR’s state. The VMBR’s state is protected because the target system has access only to the virtual disk, not the physical disk.

The only time the VMBR loses control of the system is in the period of time after the system powers up until the VMBR starts. Any code that runs in this period can access the VMBR’s state directly. The first code that runs in this period is the system BIOS. The system BIOS initializes devices and chooses which medium to boot from. In a typical scenario, the BIOS will boot the VMBR, after which the VMBR regains control of the system. However, if the BIOS boots a program on an alternative medium, that program can access the VMBR’s state.

Because VMBRs lose control when the system is powered off, they may try to minimize the number of times full system power-off occurs. The events that typically cause power cycles are reboots and shutdowns. VMBRs handle reboots by restarting the virtual hardware rather than resetting the underlying physical hardware. By restarting the virtual hardware, VMBRs provide the illusion of resetting the underlying physical hardware without relinquishing control. Any alternative bootable medium used after a target reboot will run under the control of the VMBR.

In addition to handling target reboots, VMBRs can also emulate system shutdowns such that the system appears to shutdown, but the VMBR remains running on the system. We use ACPI sleep states [3] to emulate system shutdowns and to avoid system power-downs. ACPI sleep states are used to switch hardware into a low-power mode. This low-power mode includes spinning down hard disks, turning off fans, and placing the monitor into a power-saving mode. All of these actions make the computer appear to be powered off. Power is still applied to RAM, so the system can come out of ACPI sleep quickly with all memory state intact. When the user presses the power button to “power-up” the system, the computer comes out of the low-power sleep state and resumes the software that initiated the sleep. Our VMBR leverage this low-power mode to make the system appear to be shutdown; when the user “powers-up” the system by pressing the power button the VMBR resumes. If the user attempts to boot from an alternative medium at this point, it will run under the control of the VMBR. We implemented shutdown emulation for our VMware-based VMBR. …

We first measure the disk space required to install the VMBR. Our Virtual PC-based VMBR image is 106 MB compressed and occupies 251 MB of disk space when uncompressed. Our VMware-based VMBR image is 95 MB compressed and occupies 228 MB of disk space uncompressed. The compressed VMBR images take about 4 minutes to download on a 3 Mb/s cable modem connection and occupy only a small fraction of the total disk space present on modern systems. …

The installation measurements include the time it takes to uncompress the attack image, allocate disk blocks, store the attack files, and modify the system boot sequence. Installation time for the VMware-based VMBR is 24 seconds. Installation for the Virtual PC-based VMBR takes longer (262 seconds) because the hardware used for this test is much slower and has less memory. In addition, when installing a VMBR underneath Windows XP, we swap the contents of the disk blocks used to store the VMBR with those in the beginning of the Windows XP disk partition, and these extra disk reads/writes further lengthen the installation time.

We next measure boot time, which we define as the amount of time it takes for an OS to boot and reach an initial login prompt. Booting a target Linux system without a VMBR takes 53 seconds. After installing the VMware-based VMBR, booting the target system takes 74 seconds after a virtual reboot and 96 seconds after a virtual shutdown. It takes longer after a virtual shutdown than after a virtual reboot because the VMM must re-initialize the physical hardware after coming out of ACPI sleep. In the uncommon case that power is removed from the physical system, the host OS and VMM must boot before loading the target Linux OS. The VMware-based VMBR takes 52 seconds to boot the host OS and load the VMM and another 93 seconds to boot the target Linux OS. We speculate that it takes longer to boot the target OS after full system power-down than after a virtual reboot because some performance optimizations within the VMware VMM take time to warm up.

Booting a target Windows XP system without a VMBR takes 23 seconds. After installing the Virtual PC-based VMBR, booting the target system takes 54 seconds after a virtual reboot. If power is removed from the physical system, the Virtual PC-based VMBR takes 45 seconds to boot the host OS and load the VMM and another 56 seconds to boot the target Windows XP OS. …

Despite using specialized guest drivers, our current proof-of-concept VMBRs use virtualized video cards which may not export the same functionality as the underlying physical video card. Thus, some high-end video applications, like 3D games or video editing applications, may experience degraded performance.

The physical memory allocated to the VMM and attack OS is a small percentage of the total memory on the system (roughly 3%) and thus has little performance impact on a target OS running above the VMBR. …

In this section, we explore techniques that can be used to detect the presence of a VMBR. VMBRs are fundamentally more difficult to detect than traditional malware because they virtualize the state seen by the target system and because an ideal VMBR modifies no state inside the target system. Nonetheless, a VMBR does leave signs of its presence that a determined intrusion detection system can observe. We classify the techniques that be used to detect a VMBR by whether the detection system is running below the VMBR, or whether the detection system is running above the VMBR (i.e., within the target system). …

There are various ways to gain control below the VMBR. One way to gain control below the VMBR is to use secure hardware. Intel’s LaGrande [25], AMD’s platform for trustworthy computing [2], and Copilot [36] all propose hardware that can be used to develop and deploy low-layer security software that would run beneath a VMBR.

Another way to gain control below the VMBR is to boot from a safe medium such as a CD-ROM, USB drive or network boot server. This boot code can run on the system before the VMBR loads and can view the VMBR’s quiescent disk state. …

A third way to gain control below the VMBR is to use a secure VMM [17]. Like alternative bootable media, secure VMMs gain control of the system before the operating system boots. Running a secure VMM does not by itself stop a VMBR, as a VMBR can still insert itself between the VMM and the operating system. However, a secure VMM does retain control over the system as it runs and could easily add a check to stop a VMBR from modifying the boot sequence above the secure VMM. …

There are several reasons why traditional techniques (e.g., having the target system scan memory or disk) may not be able to detect a VMBR. First, the target system is confined to its virtual machine. Since the VMBR stores its state outside that virtual machine, the target system will see no suspicious changes in its own state. Second, even if the target system did see something amiss, the VMBR could tamper with the execution of the detector and force it to report incorrect results. …

A fundamental perturbation of the VMBR is that it uses machine resources such as CPU time, memory and disk space, and possibly network bandwidth. A VMBR adds CPU overhead to trap and emulate privileged instructions, as well as to run any malicious services. …

In addition to CPU overhead, a VMBR uses memory and disk space. A detector can detect this overhead by running a program that requires the entire machine’s memory or disk space. A VMBR can hide its space overhead in several ways. It can hide its memory overhead by mapping target pages with the same contents to the same physical page [47] or by paging some data to disk. While this extra paging activity may increase the running time of the program, the memory overhead of VMware was too small to measure in our tests. A VMBR can hide its disk overhead by compressing a portion of the disk, sharing disk blocks with the same contents, or pretending that the disk space it uses have bad sectors. …

Another type of perturbation is caused by the variety of I/O devices on the computer. Recall that a VMM typically virtualizes all I/O devices. However, virtualizing the I/O device without changing the target’s view of the device requires one to understand the interface and semantics of each device. This is a formidable task, given the wide variety of I/O devices present on today’s computing platforms. Instead, current VMMs emulate a small number of virtual devices (often with customized interfaces to improve performance [1, 34]). The target OS must then use the drivers for the emulated virtual devices. …

A final source of perturbations are caused by the imperfect virtualization of today’s x86 processors. Sensitive, non-privileged instructions like sidt leak information about the VMM yet do not trap to the VMM [31, 37]. …

We expect future enhancements to the x86 platform to reduce these perturbations. Upcoming virtualization support from Intel [45] and AMD [7] will enable more efficient virtualization. These enhancements eliminate sensitive, non-privileged instructions so they cannot be used from the CPU’s user-mode to detect the presence of a VMM. These enhancements may also accelerate transitions to and from the VMM, and this may reduce the need to run specialized guest drivers. …

However, VMBRs have a number of disadvantages compared to traditional forms of malware. When compared to traditional forms of malware, VMBRs tend to have more state, be more difficult to install, require a reboot before they can run, and have more of an impact on the overall system. Although VMBRs do offer greater control over the compromised system, the cost of this higher level of control may not be justified for all malicious applications.

Virtual-machine based rootkits Read More »

Ballmer says Windows is more secure than Linux

From Steven J. Vaughan-Nichols’s “Longhorn ‘Wave’ Rolling In” (eWeek: 20 October 2004):

The questions led into a discussion of Linux, with Bittmann observing that there’s a market perception that Linux is more secure.

“It’s just not true,” Ballmer responded. “We’re more secure than the other guys. There are more vulnerabilities in Linux; it takes longer for Linux developers to fix security problems. It’s a good decision to go with Windows.”

Ballmer says Windows is more secure than Linux Read More »

Steve Ballmer couldn’t fix an infected Windows PC

From David Frith’s “Microsoft takes on net nasties” (Australian IT: 6 June 2006):

MICROSOFT executives love telling stories against each other. Here’s one that platforms vice-president Jim Allchin told at a recent Windows Vista reviewers conference about chief executive Steve Ballmer.

It seems Steve was at a friend’s wedding reception when the bride’s father complained that his PC had slowed to a crawl and would Steve mind taking a look.

Allchin says Ballmer, the world’s 13th wealthiest man with a fortune of about $18 billion, spent almost two days trying to rid the PC of worms, viruses, spyware, malware and severe fragmentation without success.

He lumped the thing back to Microsoft’s headquarters and turned it over to a team of top engineers, who spent several days on the machine, finding it infected with more than 100 pieces of malware, some of which were nearly impossible to eradicate.

Among the problems was a program that automatically disabled any antivirus software.

“This really opened our eyes to what goes on in the real world,” Allchin told the audience.

If the man at the top and a team of Microsoft’s best engineers faced defeat, what chance do ordinary punters have of keeping their Windows PCs virus-free?

Steve Ballmer couldn’t fix an infected Windows PC Read More »

Windows Metafile vulnerability

From Noam Eppel’s “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“:

On Dec. 27, 2005 a Windows Metafile (.WMF) flaw was discovered affecting fully patched versions of XP and Windows 2003 Web Server. Simply by viewing an image on a web site or in an email or sent via instant messenger, code can be injected and run on the target computer. The vulnerability was in the Windows Graphics Rendering Engine which handles WMF files, so all programs such as Internet Explorer, Outlook and Windows Picture and Fax viewer which process this type of file were affected.

Within hours, hundred of sites start to take advantage of the vulnerability to distribute malware. Four days later, the first Internet messenger worm exploiting the .wmf vulnerability was found. Six days later, Panda Software discovers WMFMaker, an easy-to-use tool which allows anyone to easily create a malicious WMF file which exploits the vulnerability.

While it took mere hours for cybercriminals to take advantage of the vulnerability, it took Microsoft nine days to release an out-of-cycle patch to fix the vulnerability. For nine entire days the general public was left with no valid defenses.

The WMF Flaw was a security nightmare and a cybercriminal dream.It was a vulnerability which (a) affected the large majority of Windows computers (b) was easy to exploit as the victim simply had to view an image contained on a web site or in an email, and (c) was a true zero-day with no patch available for nine days. During those nine days, the majority of the general population had no idea how vulnerable they were.

Windows Metafile vulnerability Read More »

IE unsafe 98% of the time

From Noam Eppel’s “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security“:

The security company Scanit recently conducted a survey which tracked three web browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. Microsoft Internet Explorer, which is the most popular browser in use today and installed by default on most Windows-based computers, was 98% unsafe. Astonishingly, there were only 7 days in 2004 without an unpatched publicly disclosed security hole. Read that last sentence again if you have to.

IE unsafe 98% of the time Read More »

Big companies & their blind spots

From Paul Graham’s “Are Software Patents Evil?“:

Fortunately for startups, big companies are extremely good at denial. If you take the trouble to attack them from an oblique angle, they’ll meet you half-way and maneuver to keep you in their blind spot. To sue a startup would mean admitting it was dangerous, and that often means seeing something the big company doesn’t want to see. IBM used to sue its mainframe competitors regularly, but they didn’t bother much about the microcomputer industry because they didn’t want to see the threat it posed. Companies building web based apps are similarly protected from Microsoft, which even now doesn’t want to imagine a world in which Windows is irrelevant. …

Big companies & their blind spots Read More »

The botnet hunters

From The Washington Post‘s “Bringing Botnets Out of the Shadows“:

Nicholas Albright’s first foray into some of the darkest alleys of the Internet came in November 2004, shortly after his father committed suicide. About a month following his father’s death, Albright discovered that online criminals had broken into his dad’s personal computer and programmed it to serve as part of a worldwide, distributed network for storing pirated software and movies. …

From that day forward, Albright poured all of his free time and pent-up anger over his father’s death into assembling “Shadowserver,” a group of individuals dedicated to battling large, remote-controlled herds of hacked personal PCs, also known as “botnets.” …

Each “bot” is a computer on which the controlling hacker has installed specialized software that allows him to commandeer many of its functions. Hackers use bots to further their online schemes or as collection points for users’ personal and financial information.

“I take my [handheld computer] everywhere so I can keep tabs on the botnets when I’m not at home,” Albright said …

On a Sunday afternoon in late February, Albright was lurking in an online channel that a bot herder uses to control a network of more than 1,400 hacked computers running Microsoft Windows software. The hacker controlling this botnet was seeding infected machines with “keyloggers,” …

Albright had already intercepted and dissected a copy of the computer worm that the attacker uses to seize control of computers — an operation that yielded the user name and password the hacker uses to run the control channel. By pretending to be just another freshly hacked bot reporting for duty, Albright passively monitors what the hackers are doing with their botnets and collects information that an Internet service provider would need to get the channel shut down.

Albright spied one infected PC reporting data about the online activities of its oblivious owner — from the detailed information flowing across the wire, it was clear that one of the infected computers belongs to a physician in Michigan.

“The botnet is running a keylogger, and I see patient data,” Albright said. …

“Anything you submit to law enforcement may help later if an investigation occurs,” he said. “Chances are, though, it will just be filed away in a database.”

Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously — sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites. …

… in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots.

… Shadowserver locates bot networks by deploying a series of “honeynets” — sensors that mimic computers with known security flaws — in an effort to lure attackers, allowing the group to capture samples of new bot programs. …

Shadowserver submits any new or undetected specimens to the major anti-virus companies. Andrews said he is constantly surprised by the sheer number of bot programs that do not get flagged as malicious by any of the programs. …

In Andrews’s experience, by far the most common reason criminals create botnets these days — other than perhaps to sell or rent them to other criminals — is to install online ad-serving software that earns the attacker a few pennies per install. …

Even after the Shadowserver crew has convinced an ISP to shut down a botmaster’s command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker’s control server, unaware that it no longer exists. …

“Bot hunting can really take over your personal life, because to do this right you really have to stay on top of it — it can’t just be something you do on the weekends,” he said. “I guess it takes a special type of person to be able to sustain botnet hunting. … I don’t know anyone who pays people to do this kind of work.” …

Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don’t have the bodies, the technology, or the legal leeway to act directly on the information the groups provide. …

“Sadly, without more law enforcement support this will remain a chase-your-tail type game, because we won’t ever really shut these networks down until the bot master goes to jail, and his drones are cleaned.”

The botnet hunters Read More »

Trusted Computing: security for whom? from whom?

From Bruce Schneier’s “Trusted Computing Best Practices“:

The language [in the Trusted Computing Group’s best practices document] has too much wiggle room for companies to break interoperability under the guise of security: “Furthermore, implementations and deployments of TCG specifications should not introduce any new interoperability obstacles that are not for the purpose of security.”

That sounds good, but what does “security” mean in that context? Security of the user against malicious code? Security of big media against people copying music and videos? Security of software vendors against competition? The big problem with TCG [Trusted Computing Group] technology is that it can be used to further all three of these “security” goals, and this document is where “security” should be better defined.

Trusted Computing: security for whom? from whom? Read More »

Unpatched Linux, 3 months; unpatched Windows, 20 minutes

From Bruce Schneier’s “Linux Security“:

I’m a big fan of the Honeynet Project … Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. …

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

… That’s the real story: the hackers aren’t bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows — more bang for the buck.

Unpatched Linux, 3 months; unpatched Windows, 20 minutes Read More »

Zombies from China attack Internet

From Computerworld‘s “Army of zombies invades China“:

China’s rapid Internet growth has brought with it a somewhat disturbing side effect: multiplying zombies up to no good.

Zombies, or Internet-connected computers infected by worms or viruses and under the control of a hacker, are used to launch denial-of-service (DoS) attacks, or send spam or phishing e-mails. An average of 157,000 new zombies are identified each day, and 20% of these are in China, security company CipherTrust Inc. reported this week.

… “Criminals look for a weaker link, so places like China, or anywhere behind the U.S. in terms of computer literacy, are a good target,” Stanley said.

China’s fast-growing Internet population is also an attraction, he said. As of January, there were 94 million Internet users in the China, up 18% from the year before, according to the China Internet Network Information Center (CNNIC).

Zombies from China attack Internet Read More »

Why people don’t use firewalls

From the Windows OneCare Team Blog’s “Windows OneCare Firewall – Keepin’ it Green, Part I“:

Through a combination of surveys, emails and customer communication, we maintain a close watch on the “health” status indicators, such as, percent of users with anti-virus out of date, or the ratio of customers that are regularly backing up files.

… Recently, we have noticed a slight increase in the number of people turning off their firewall, with a corresponding decrease in the number of green machines.

Based on our investigation, there are four primary reasons people are turning off their firewall.

1. Do not think a software firewall is necessary
2. Do not like the (sometimes incessant) pop-up dialogs
3. An application failed to install with firewall turned on
4. An application fails to work with firewall turned on

Why people don’t use firewalls Read More »

Nothin’ like nerdy Microsoft humor

In January 2002, I was running for the position of Vice President of the St. Louis Unix Users Group. On the SLUUG listserv, someone proposed that those running for office come clean on any ethical lapses. Here’s what I wrote:

Fine … I’ll go first and admit my ethical lapses.

I used to use Windows. A lot. All the time. It was really hard to stop. I mean, it came free with my computer. The guy at the store said, “Hey, try it. It’s free. Everyone else is doing it. You’ll feel good.” So I did. I gave in. I was weak. And then it got really hard to just say no. I kept giving more and more money to Microsoft, and Microsoft had me in its claws. I’d come to it every couple of days: “Hey, Microsoft, got anything else for me?” I sold things to buy more Microsoft products. I withdrew from my family, my friends, other people. Finally, one day I hit bottom … I looked around, and saw little multi-colored flags everywhere on my computer. I knew I was powerless. And that’s when I knew things had to change. I came to a LUG meeting, and I stood up, and I said, “Hi. My name is Scott, and I’m a Windows user.” Everyone was really nice … a lot of them had been in the same situation I was. Since then, the group has helped me gain the strength to get the Microsoft monkey off my back, and now I’m happier and more fulfilled than I ever was. Thank you, St. Louis Unix Users Group!

Nothin’ like nerdy Microsoft humor Read More »

My first book – Don’t Click on the Blue E! – is out!

For all those surfers who have slowly grown disenchanted with Microsoft’s Internet Explorer web browser, Don’t Click on the Blue E! from O’Reilly is here to help. It offers non-technical users a convenient roadmap for switching to a better web browser – Firefox.

The only book that covers the switch to Firefox, Don’t Click on the Blue E! is a must for anyone who wants to browse faster, more securely, and more efficiently. It takes readers through the process step-by-step, so it’s easy to understand. Schools, non-profits, businesses, and individuals can all benefit from this how-to guide.

Firefox includes most of the features that browser users are familiar with, along with several new features other browsers don’t have, such as a bookmarks toolbar and window tabs that allow users to quickly switch among several web sites. There is also the likelihood of better security with Firefox.

All indications say that Firefox is more than just a passing fad. With USA Today and Forbes Magazine hailing it as superior to Internet Explorer, Firefox is clearly the web browser of the future. In fact, as it stands today, already 22% of the market currently employs Firefox for their browsing purposes.

Don’t Click on the Blue E! has been written exclusively for this growing audience. With its straightforward approach, it helps people harness this emerging technology so they can enjoy a superior – and safer – browsing experience.

Read two sample excerpts: Counteracting Web Annoyances (651 kb PDF) & Safety and Security (252 kb PDF).

Translated into Japanese!

Buy Don’t Click on the Blue E! from Amazon!

My first book – Don’t Click on the Blue E! – is out! Read More »