July 29, 2003

Huge Hole in Windows Credential Management

Well I am not sure when this will hit the wires, but there is a pretty large gaping hole in how Windows now handles stored credentials in the runas command. Doesn't seem to be a huge thing, until you consider that once used it allows that user to run as the credential... possibly meaning a normal user can run any command as administrator if the administrator runs runas even once... with stored credentials.

The idea behind the "runas" command is great. It allows for a user to run in a least privilege environment and still gain access to vital system commands. IN unix, we typically call that "su". In Windows, runas has an even nicer feature.

If you use the /savecred switch, it will save the credentials for later use. So if you entered:

runas /savecred /user:administrator regedit

You would be prompted for a password once, and then regedit would start up. Works great. Next time you run that same command, you wouldn't be prompted for the password.

Now the hole....

Once /savecred is used, you can pass runas ANY command.... and it will run as that credential if you continue to use the /savecred option. And thats bad. Why? Well imagine if I did this:

runas /savecred /user:administrator "C:\Program Files\Internet Explorer\iexplore.exe" c:

Guess what happens? I now have direct adminstrator rights to all files on the system. I can now go to town and do whatever the hell I want.

Now, I have bitched about runas before. But I still like it. That is evident in an old Code Project article I wrote on the subject of "Secure Coding Practices: Running with Least Privileges in Windows". Even so... this is such a glaring hole this isn't funny. And it seems this is generally accepted as ok at Microsoft, since I found others report this months ago in the windowsxp lists, with no response from Microsoft. *sigh*

If I knew how to hook into the shell properly I would go write a new version of runas for them. Could fix some things I hate about it. But alas, this is one of those HIDDEN features of the platform. *grrr*

Anyways coming back from that tangent, there is no easy way to REMOVE the credentials. But I did find an interesting post that covers off how to remove it manually through the registry.

Moral of the story... DON'T USE THE "/savecred" SWITCH FOR THE RUNAS CMD

Posted by SilverStr at 08:35 PM

Security is not a Product or OS, its a Process

Sorry I haven’t posted lately, but I have been in the dark chasms of the kernel debugger, working on a new mandatory access control system for Windows. Which gets me to my post today.

It seems lately I have been getting a lot of flak from friends and colleagues about my choice to develop security components on the latest Windows platforms, especially since Scoble commented on my visit to the Microsoft campus. I simply was ignoring the comments as everyone is entitled to their opinions, and I have been trying to stay under the radar for some time now. Besides that, as Scoble has pointed out recently secrets are a good thing(tm).

Although I won’t comment directly on what I am working on, I decided after a barrage of emails from a few hardcore Linux zealots that I respect (who wish to remain anonymous [cowards :) ]) that I should explain WHY I made this decision.

If you know me at all, you know I myself was a Linux zealot moons ago. Now I realize you need to use the right tool for the right job. (And Linux still is right for me as a server environment for small businesses) But for over 6 years I did nothing but live, breath and DIE by the Linux sword. I wrote components to build firewalls, IPSec VPN devices, IDS sensors, automated vulnerability assessment tools and a plethora of supporting code to wrap them all nicely together. I invented the FireCard (now called the GG-Blade) and lead the team that created the first secure embedded OS based on Linux way before the embedded movement even got started. (An entire security platform designed in under 8megs of ram) It won many awards and received great praise from the security industry. That’s where the ego-stroking fun ends of what I did, and reality begins.

The reality is that security is a process, not a product. Yes I continue to quote Bruce Schneier’s mantra to this day… but didn’t really live by it. What good was making great technology that was not used by very many people? More to the point, how arrogant could I be to assume that the world would change their beliefs in security and flock to an embedded device that truly could HELP them mitigate their online risks? Well, as I stand here now, I tell you now that security is a business problem, and not a technology one. And that is why I left and founded a new security company.

Which gets me to the core of why I decided to build security components on Windows. For years I criticized Microsoft for its lax position on security, especially at how it relates to the attack surface of its default installation, its continuous bad behavior in patch management and its release management cycles for security fixes. It was a sore spot, but something I could always attack because Linux was better. And it was. And in many cases it still is. But as I say this, I remember why I dislike where many Linux vendors like RedHat have been going. They have fallen in the same trap as Microsoft and sacrifice security for ease of use. For some silly reason people believe they can’t have both a secure environment and be easy to use. Here is a reality check for everyone. Operating systems MUST start shipping in a secure state before we can even begin to properly secure the network topology. With Windows 2003, Microsoft is starting to get that. It’s ridiculous to assume that Microsoft doesn’t have some of the brightest security minds on campus. I know some of them like Michael Howard KNOW what to do, and work hard in the Secure Windows Initiative division to distill this sense of mindset to rest of the campus. You can’t change a developer’s thinking overnight, but I am starting to see Microsoft slowly turn around. And this is where I come in. Instead of bitching about the insecurities of Windows, I have decided to do something about it. I think Kevin Day summed it up best in his book Inside the Security Mind:

Security can be accomplished in any environment. It can be accomplished without monopolizing our time and resources, and without emptying our wallets. It can be accomplished without years of training and without having to know every vulnerability, threat, and counter-measure in existence. When addressed in the correct manner, security simply becomes an extension of our normal operations, and the best protective measures require the least amount of ongoing effort.

Amen. So that is where I am. I am addressing what I believe are weaknesses in platforms used by a majority of the Internet in an attempt to make the best protective measures become normal operations within an organization. So that HAS to include Microsoft platforms. Most commercial operations have Internet or network facing devices running Microsoft product that are not properly maintained. This is a key realization. Each of these poorly secured systems has been administered by someone who did not treat security as a normal operation, and now it’s becoming our problem because their systems are now attacking us.

If security practices are a burden, something is wrong. This is where most vendors (including Microsoft) have failed. And that is the trick. Our role should be to keep ourselves safe so others will be safe from us. And this has to be accomplished by easing the complexities of the platforms and provide mechanisms to regain trust in these environments. Personally, I see this as something lacking in Microsoft platforms. It is simply to hard for many system administrators to regain that trust, which makes it to hard to trust them. We need to be able to trust… but verify… that the appropriate actions to properly secure the environment are being taken.

Don’t believe me? Consider this scenario. Someone has just defaced your main webpage on W2K. In a single command right now show me the last 10 people who logged onto you W2K environment, and tell me how long they were on. Now tell me which files they touched, and what changed. Restrict and jail IIS from being able to load any files except in the web’s root directory, and prevent no write operations on any of those files. If you are based off of a default W2K install… you can’t. And if you are not a guru of the platform, you probably won’t be able to figure out how to do this anyways. And by now... it’s already too late. You are in the process of doing a forensic analysis… and this wasn’t configured and set up before the incident occurred.

This has to change. And instead of bitching and moaning, I am doing something about it. And I stand by that decision. So continue to fire off more flak if you care to, I am thick skinned. While you barrage and berate me for making such a decision, remember that my efforts will result in helping YOU, as less Windows machines will have such a huge attack surface to be used as a hacker’s piñata… and thus end up being a launching point to nail your Unix servers and Windows workstations.

Posted by SilverStr at 09:36 AM | Comments (5)

July 22, 2003

Cracking Windows Passwords in 5 seconds

Over lunch I read a pretty interesting paper on "Making a Faster Cryptanalytic Time-Memory Trade-Off". In around 1980 Martin Hellman described a cryptanalytic time-memory trade-off which reduces the time of cryptanalysis by using precalculated data stored in memory. This was improved upon by Rivest sometime in 1982, and the researcher believes no work since then has been done to optomize it.

The paper proposed that by precalculating the data it can significantly speed up the cryptoanalysis process. The researchers have implemented an attack on MS-Windows password hashes. Using 1.4GB of data (two CD-ROMs) they can crack 99.9% of all alphanumerical passwords hashes (2^37) in 13.6 seconds which is quite impressive. The next closest thing takes
101 seconds with the current approach using distinguished points. L0phtcrack takes even longer most times.

It's a good read. It will be interesting to see how other cryptanalysts will respond to this paper. If you got some time, go read the paper.

If you want to see it in action check out some of their online research and demo here.

Posted by SilverStr at 02:46 PM

Funny Banter.

This made me snicker. Here is some banter on a mailing list I am on. (Named changed to protect the innocent)

Tom: How so unlike you to take an anti-establishment view!
Dick: Not anti-establishment. I am far from an anarchist. "I am anti-idiot".
Tom: Anti-idiot is not political. It's religion. At least for me it is.

Well, maybe you needed to be there. I thought it was funny.

Posted by SilverStr at 10:18 AM

The Cyber Problem—A Nation Dependent and Dealing with Risk

I stumbled across some very interesting testimony by Bruce Schneier in front of the Subcommittee on Cybersecurity, Science, and Research and Development (part of the committee on Homeland Security for the United States House of Representatives) and it bares some resemblance to stuff I have been talking about recently.

He does an excellent job of providing insight to the state of cybersecurity without throwing FUD to drive points home. His recommendations are sound:

  1. Stop trying to find consensus. Bruce clearly expresses the security community's concerns that documents coming out of the government try to be friendly to the industry in an effort to not offend particular parties. Why? Could it be because many of them don't want to fight with big business.... people that contribute to their campaigns?
  2. Expose computer hardware, software, and networks to liabilities. Lets face it. There is no liability for the actions vendors take to secure their product. Its hard when software development as an engineering field is still in its infancy. Image though if the government would not purchase product from Microsoft unless they would assume liability for that code. Interesting concept. It would FORCE Microsoft to take a better stance and be more pro-active in their secure coding efforts. They have come a long way in the past year, but still have a ways to go. But I think it would be fair to say its not just Microsoft. Hell, I try to secure all my code, but even I fret about weaknesses in the code and have to seek third parties to do code audits. The discipline of secure coding is just not yet mature.
  3. Secure your own networks. I call this "Eat your own dog food". Bruce brings up a good point. If the government funded projects securing its own infrastructure using commercial products and resources to put their house in order, the requirements for better security would improve the resources that are available to everyone, since everyone needs those same resources that the government does. Instead of making committees and ultra secret cells of security products/services, help build the commerical ones already in the industry. I think this would be a good argument on how CERT could get some money to strengthen its efforts.
  4. Use your buying power to drive an increase in security. I like this one. Government procurement policies could DEMAND better security from its vendors. There’s a “rising tide” effect that will happen; once companies deliver products to the increasingly demanding specifications of the government, the same products will be made available to private organizations as well. Companies like Microsoft do not wish to lose their government and educational business. It makes up a fair amount of their sales. If the government held them more accountable, Microsoft would respond in kind and increase the security effectiveness faster than its currently doing it. I don't blame Microsoft for this, but all of us as consumers for accepting this for far to long. We should have been demanding for more secure product YEARS ago. Maybe then the infrastructure would be cleaner as we would have a larger window to fix these problems.
  5. Invest in security research; invest in security education. The weakest link is the human factor when it comes to security. Education is key to the security management life cycle, and is something we need more of. I guest lecture at the local university about secure coding not to listen to myself speak about a subject I am passionate about. I do it to hopefully educate the masses in a way that will increase security-minded thinking, resulting in hopefully more secure code.. and in the end a better quality product. Top that off with funding to do more research, and investment in such endevours helps us all.
  6. Rationally prosecute cybercriminals. Real cybercrime has to be punished. We aren't talking about cyberpranks here, but people who maliciously release havok on the Internet, and the critical infrasture connected. IANAL, so I have no clue were these boundries really are. But I know the legal system is way to far behind to be useful in this regard.

I applaud Bruce for well presented testimony in front of his government. If the US government takes heed, maybe some good will come of it. At a minimum, I hope it causes some ripples in the hardware and software industry as they begin to realize that we can't afford to NOT include more security minded thinking in our product development, management and deployment. I know it has me reflecting on myself and thinking of new ways to better secure my code, as I hold myself liable for what I do everyday. When customers start demanding it, I think all software developers will need to think about this more.

Posted by SilverStr at 10:04 AM

Quote of the Day

“Never let the future disturb you. You will meet it, if you have to, with the same weapons of reason which today arm you against the present.”

- Marcus Aurelius Antoninus

Posted by SilverStr at 08:42 AM | Comments (1)

July 21, 2003

MAME is Evil

Man is MAME an evil emulator. It sucks time straight from your fingertips! This evening while waiting for a couple of master builds to complete, I thought I would try to find an ol' ROM to burn some time. Dug up 1942, and 3 hours later realize I "theoretically" just blew like $20 in quarters and 3 hours of my life. Man, I remember the day it came out back in 1984... it rocked. And even today it kept me engaged.

I will say this for MAME. Its pretty good.... but it SUCKS to play these old games on the keyboard instead of a joystick. Oh well... I should check in my code and head to bed anyways. Maybe tomorrow night I will see if I can find Dig Dug, Wonder Boy or maybe even one of my old favorites... like Gauntlet or Tiger Heli.

Posted by SilverStr at 01:27 AM | Comments (7)

July 18, 2003

Serious security related flaw in Windows

Well if you haven't heard, there is a pretty major buffer overflow bug in the DCOM RPC code for all flavours of Windows with the NT kernel, including the latest W2K3 which went through a much more thorough audit of all code before release as part of its Trustworthy Initiative. If you send a carefully crafted TCP packet to port 135, you can run malicious code, and could possibly even elevate privileges as the SYSTEM account. Microsoft released an advisory here, and has it in the Windows Update tree.

If you are a reader using my IPLinks security driver type this as admin in the cmd line to deal with it until you patch up:

iplinks deny in tcp from any to any:135 log

Happy patching.

Posted by SilverStr at 12:22 AM

July 17, 2003

Using Blogs as a tool for the Security Professional

I just finished reading an interesting article by Scott Granneman over at SecurityFocus on using blogs as another tool in the Security Pro's Toolkit.

Its a multi-part article, and part one seems to be targetted more as an introduction to blogging. But I can see where this is leading. I use blogs routinely as a source of information from other security professionals in the industry on top of the huge masses of emails I filter through each day. The next part should be interesting if he spends some time recommending good security related blogs. I have a few indexed already, but could always use a few more feeds. If you know of any, drop me a comment so others can learn about it as well.

Posted by SilverStr at 11:53 PM

July 16, 2003

Hunting "Bambi"

What the hell is with these people?

Sometimes I wonder about the stupidity of mankind. Maybe we should start hunting these hunters naked with BB guns using salt BBs.

Dumb asses. All of them. Atleast... until Fox finds out and starts a reality show of it. *sigh*

Posted by SilverStr at 10:37 AM | Comments (3)

Quake II .NET

No I am not kidding.

While catching up on the latest going on over at CodeProject I found an interesting article about a guy who ported Quake 2 to managed C++. Apparently there is little to no lag/delay in the managed code running through the CLR. If this is true (I cannot confirm or deny this) its a leg up towards more people looking at the performance characterisitics of MS's CLR vs Sun's JRE.

Not sure what to make of it yet. Anyway you look at it, its still a really kewl port.

Posted by SilverStr at 09:54 AM

Back in Canada

So I am back. Had a great trip. But still happy to be home.

Had a great time. On my way down the I5 to Portland I got stuck at a huge accident just outside of Seattle. While crawling along on the freeway now turned into a parking lot, I took a pic of a funny license plate just ahead of me. Seems the beef industry in the US needs just as much help as we do up here... so much so they are advertising everywhere!

I found the I5 an awesome road to drive on. Outside of the weird blown tires all over the place during the entire trip (I am talking rubber from blown tires every couple of miles most of the way during my drive) it was nice to be able to push my Monte Carlo to some of its limits. With 3 and sometimes 4 lanes, with very little people on the road, I was able to finally see how my car could do. I am just happy I didn't have the NOS injector actually hooked up. I was already pushing 160-180 in a few spots.... who knows what stupidity I might have tried to pull if it was hooked up.

Can't really talk much about the contents of the trip, but everything went pretty well. While on Microsoft's campus I got to spend some time with Scoble and talk about life, the universe and everything security.... with a Linux undertone every so often. Kewl guy to hang with and share some "koolaid". Very bright, honest and not in one of the "zealot" camps that I detest so much. I think that will make him a much more effective employee for Microsoft, and one who is willing to listen to customers and take their concerns to the company. They are lucky to have him. Hope they listen to him. I also hope I get to hang with him some more soon. Maybe I will win the lottery and be able to afford to go to the PDC.

I would have liked to get a beer with Michael H. as well, but I couldn't get it scheduled in... and with the "Trustworthy Computer Fest" on campus I am sure he would have been way to busy anyways. No worries, I'll catch him next time.

Other than that.. not much more to say. I think I've said enough already... and its time for me to do something productive like work... or maybe finally answer all my email.

Posted by SilverStr at 09:04 AM

July 14, 2003

Blog downtime and stuff

Well, Arcterex informs me that ufies.org is going down as the ISP does some stuff on July 15th, around 10am PST. As such, this blog will be offline until they bring things back up. Shouldn't hurt to bad. I am told its only expected to be a few hours. Lets hope it goes smoothly.

On an aside, I expect to be in Seattle and on the Microsoft campus around 3 or 4pm tomorrow, so those of you I am going to be meeting with on campus have an idea when I will be there now. I expect to leave Portland at noon and take the I5 to the 405 North, so barring getting lost and ending up in Canada I will you see you then.

Posted by SilverStr at 10:38 PM

July 13, 2003

Running with different Credentials

Man some days I just start to like the latest flavours of MS OS, and other days I just don't get how they do things. I am sitting down in my room in Portland (doing a Threat Modelling Seminar tomorrow and decided to drive down from Canada today and enjoy the trip) and am getting really ticked off every time I try to do some admin or development on my laptop. Why? Because I run with least privilege, and have very little rights to do anything on my machine as a normal user. Thats expected. Thats what I want.. and I have been developing software in a least priviledge mode for a LONG time. WinDbg works fine with vim under cygwin... and I am a happy camper.

But even still, I STILL get frustrated with the ass backwards way the "Run as" command works. In Unix "su" is quite easy to set up. Of course, its cmd line. Windows has a pretty "Run with Different Credentials" dialog. Works great... except that its intellgence (lack there of) is just dumb.

When I DO do admin stuff or need to do something kernel-mode (ie, step through my ring0 code), I do it with a different account.. and that account is not even "Administrator". I set up a specific user called "root" with limited security tokens/DACL to do such work. Works awesome. Except every darn time I try using runas, I have to manually select from "Current User" to the user I wish to run as, and then edit my password. After doing it like 20 times by now you would think it would know what I want to do. Or atleast realize if I purposely SET the "Run with different credentials" checkbox that I do indeed wish to run as someone else, enable that and set focus to the password field.

*sigh* I know I am just whining about something that won't change anytime soon. I am happy they have a cleaner way to run with different privileges, but I wish they would use it themselves on a day to day basis so that they would realize how tedious this is, and how much easier/cleaner they could make it. I know Mike H. does over in the Secure Windows Initiative, but I would doubt the developers that worked on this code do. Of course, I could be wrong.

Anyways, enough ranting for the night. If you live in the Portland/Seattle area and are up for some company drop me a line. In between my lecturers I hope to be able to check email and try to schedule a few meet and greets. Talk to you then!

Posted by SilverStr at 11:07 AM | Comments (1)

July 11, 2003

Evesdropping on your neighbour... Spy vs. Spy style

Well I'll be. Cringely has opened up a can of worms in his latest Pulpit article talking about CALEA, and all the fun we get with electronic wiretapping.

Nothing he says is really new. Most of us knew about this years ago, especially since there have been a few good underground articles on the subject. But it was interesting how eliquently Rob puts everything.

Makes ya wonder. Security is only as strong as the weakest link. When the collection of evidence for later forensic analysis is considered suspect, how can you trust it? You can't. And you shouldn't. Yet in the States people get their rights trampled as law enforcement use this information, even though there is lack of evidance collection and preservation safeguards. I only hope the SIGINT community in Canada never fall into this trap.

Anyways, if you got some time, it's worth the read. If only to give you something more to shake your head at with Americian governmental thinking.

Posted by SilverStr at 02:58 PM

Gawd I want to byte an Apple

Man, Steve Jobs is the right man for the job at Apple. I just watched a great Keynote video of him presenting at the Worldwide Developers Conference and he can sure sell the technology and company.

If you haven't had a chance to view it yet.... go do it now.

I can't wait until I start porting Scorpion to the latest flavour of OSX!

Posted by SilverStr at 12:20 PM

July 10, 2003

Has it been 10 years already?

Happy Anniversary my love.

I wrote your name in the sky,
but the wind blew it away.
I wrote your name in the sand,
but the waves washed it away.
I wrote your name in my heart,
and forever it will stay.

Forever and Always

Posted by SilverStr at 02:06 PM | Comments (3)

July 07, 2003

Weekend Wrapup

You just got to love great weather. It drives you to go and do stuff. This weekend was chalk-full of (mis)adventure.

Lets see, I went to the lake to meditate for a while, finding a nice quiet bluff to relax and listen to nature (atleast until that damn ski boat decided to do tricks in front of me). I took my family out to Castle Fun Park and enjoyed an amazing round of outdoor mini golf at night, and then some of the indoor festivities after. (I am a bit sore from the batting cage). We ended the weekend off with a nice dinner in the Rose Garden over at "The Chief"'s place.

Throughout the weekend I made sure I got to spend some time on the back patio, just relaxing to the sound of the birds chirping. Actually, I am there right now as I write this (gotta love wireless), and have just decided I am going to work out here this morning as I finish off a presentation I have for tomorrow afternoon.

Hope you had an enjoyable weekend.

Posted by SilverStr at 08:18 AM

July 02, 2003

I am so proud to be Canadian!

In case you haven't heard, we just won the 2010 Olympic bid. The winter olympics are coming to BC!

I was in Calgary and saw the awesome conversion that the 88 Olympics did for them. The city has grown in beauty and usefulness because of everything the games brought. Canada Olympic Park (COP) is an amazing facility. Imagine a 15 minute car ride to a ski hill on the edge of the city to play on. Or luge. Or ski jump. Just awesome.

Watching the Vancouver video, I became teary eyed. I don't normally get emotional... but I was so PROUD to be a Canadian at that moment I didn't care.

Congratulations to the 2010 bid committee. You deserve this moment. Now lets get ready for the games!

Posted by SilverStr at 09:08 AM

July 01, 2003

Happy Canada Day!

Happy Birthday Canada!

Posted by SilverStr at 09:02 AM