September 30, 2003
FIPS 199 - A new Security Standards Doc
The National Institute of Standards and Technology (NIST) has released the final version of a Federal Information Processing Standard for categorizing security risks of federal information and systems.
There really isn't anything NEW here. The terminology and use of the CIA triad for information assurance is required reading in any security certification. But none the less, it is always good to be familar with these published standards. You can get the document here.
September 29, 2003
SecurID Auth for OpenSSH
Now this is a kewl idea! There is now a securid patch for openssh that supports RSA's SecurID tokens properly, including "New Pin" and "Next Pin" functionality.
This just rocks. Now if only the RSA Ace/Server and it's agents were not so expensive, more people could use this. I LOVE RSA's two factor authentication with SecurID. I think USB auth is just not feasible since most people don't HAVE access to their USB port that easily. I don't even mind buying new tokens every few years. What we need though is a nice open source Ace/Server so small businesses can actually afford to use it!
Anyways, if you happen to be a lucky person with an Ace/Server, now you can tie it to your SSH logins!
Cool Online Comic RSS Feeds
Today I stumbled upon Tapestry, a series of RSS feeds for online comics! This was a great find.
I only wish Illiad would hook up Userfriendly through RSS so my comic reading would be complete through my aggegator!
LOTR:ROTK Trailer is OUT!
The new Lord of the Rings:Return of the King trailer is out. I have linked to a small unknown mirror since all others seem to be slashdotted.
A few days I go I said I can't wait till Matrix Revolutions. Thats means nothing compared to this. OHHHHHHH I CAN'T WAIT!!!!
Blog Server Downtime
On September 29th, at around 2pm PST the server my blog is on will be down, and is getting moved. Sorry for the late notice. I wasn't given any... I just stumbled upon it when I was visiting Ufies.org.
The new IP address will be 22.214.171.124, and hopefully the DNS zone transfers will be quick. If not.... this blog will be out of service for a couple of days. If you just can't live without yer morning dose of SilverStr goodness (ya right), you can temporarily connect to it by going to http://126.96.36.199/~silverstr/blog/.
Thank you for your patience. And thanks to Arc for all the hard work on the server move! We appreciate it.
Posted by SilverStr at 06:51 AM
September 28, 2003
Will need to give that a try one of these days!
Posted by SilverStr at 12:53 AM
Creating Covert Network Comms
If you have even attended any lectures I have given on the powers of covert communications on networks, you might have heard me talk about my dynamic door opener I wrote to allow me to open a "window" of time on a server's firewall to allow me to connect from unknown foreign hosts that may not be trusted.
It works quite well, and I have used it for years on different machines around the world. Basically I can send a sequence of specially crafted ICMP messages (thank heavens for switches on ping like -p) to a network segment, and my back door will see it and create an ipchains/ipfw firewall rule to allow that host to connect and authenticate with SSH for 30 seconds. Once the 30 seconds are up, the firewall patches itself and the existing SSH tunnel will stay active, with me connected. (Assuming the firewall will still allow existing ports to stay open after the reset)
Well, it took some time to write that way back when in C (we are talking years ago when ipfwadm was just reaching its peek), and I must admit it was/is a bitch to maintain as firewalls become more complex. Quite frankly I haven't looked at the code in some times, and never ported it to Linux's iptables. Well, I found an interesting set of articles that have a different approach using fake DNS lookups.
Hacking Linux Exposed has released a three part series (well actually its 5 parts, but only three are useful to you) discussing how to use Net:Pcap to sniff for certain packets, run a program based on those packets and then send commands to that program. And it is even updated to use iptables! You can read each part of the series to understand what I am talking about:
It's a good read, and includes some perl scripts to make your life easy. If you feel you want to build covert channels to your machines, this may be the article you need. You could even use these articles as a base to create remote execution code sequences (like sending a crafted packet to start an automated penetration test from the server to the network you might currently be on) or extend it to do evil like DDoS attacks based on incoming packet sequence. YMMV. Use it responsibly please!
Posted by SilverStr at 12:32 AM
September 27, 2003
An Overlooked Construct and an Integer Overflow Redux
Here is an interesting article from Michael on "An Overlooked Construct and an Integer Overflow Redux". It dawned on me I didn't post this earlier when I was showing Arc some code and he wasn't sure what my integer sentry counter for overflowing was doing. This article will put it into perspective for you.
Anyways, as usual its a great article if you wish to learn how to code secure. Happy reading.
September 26, 2003
Lastest Matrix Revolutions Trailer... and it ROX!
Oh man I can't wait! I can't comment to do it justice. You gotta check out the new trailer!. Man November can't come soon enough.
@Stake fires Geer over Negative Microsoft Report
@Stake's comments: - "The values and opinions of the report are not in line with @Stake's views" explaining Geer's termination are concerning for a company that claims "we must not be afraid to take things apart, understand how they work, and share that information with the world."
This is sad. When a member of a security research company is not allowed to speak the truth in an effort to diagnose where problems are, and provide good solutions to solve these same problems, we a society have lost in this battle.
@Stake is a business, and they want to protect themselves. I can understand and respect that. But to be fired for publishing controversial research that is the TRUTH shows that a researcher's job security is at odds with professional ethics and their research standards.
This is just wrong. *sigh* I think Schneier summed it up best when he says:
"There is a huge chilling effect based on Microsoft's monopoly position. It's unfortunate that AtStake put its private agenda ahead of intellectual integrity."
Posted by SilverStr at 09:54 AM
September 25, 2003
CyberInsecurity - The Cost of Monopoly
There has been an interesting paper published this week and released at the Computer & Communications Industry Association (CCIA) warning that reliance on the Microsoft-based software is a danger to both enterprises and national security.
The paper was written by 7 respected security experts in the field, and really breaks down the insight of WHY Microsoft software is a danger, without bias for or against the software company.... but with information security as a focus.
What I liked about the report is that it broke everything down to three things Microsoft could do to engender substantial, lasting improvements in the field:
Without being forced, it is doubtful that these remedies will ever be taken, but it was interesting to see people like Dan Geer, Bruce Schneier, Peter Gutmann and Becky Bace get together to point it out.
Posted by SilverStr at 08:11 AM
Responding to Intrusions
CERT has released some pretty good information on how to respond to intrusions.
This is an important topic to understand. What happens in your organization when safeguards are compromised or fail? Most people do not have an incident response plan of any kind, leaving the security team and the IT team to tread water while they finger point, instead of dealing with the intrusion.
This is a good read. Make sure you follow the links to fully break down and understand was is expected of you, and just how you should do it.
Posted by SilverStr at 07:57 AM
September 24, 2003
Is it any wonder that security people are so misunderstood?
I just read a good article by Tim Mullen over at Security Focus, on the topic of why we as security people are misunderstood. When we do our jobs right, you never know about it. You only scream bloody murder when we don't.
My favorite quote from the article came at the end:
A final note to the CEO's out there-- if it isn't already, security will become the second most important thing to your company; right there behind the product that makes you your money. Remember always that Silence is Golden: if you want things to stay quiet, then give us your gold.Amen.
Congrats Dick on a job well done! For those who don't know, ActiveState was sold to Sophos today for $32 Million CAD. Dick is a guy I know from the PerlMongers group in Vancouver, and all his great work on the Windows version of Perl.
Best memory... Dick giving out bumperstickers that said:
If you don't know perl, you don't know DickEnjoy the new wealth Dick. You earned it.
Posted by SilverStr at 11:17 AM
September 23, 2003
How Good Is the WS2K3 Firewall?
As I mentioned earlier, it really has a ways to go. You gotta wonder... if they put as much effort into usability testing for their security components as they do for their applications (ie: Office etc), people in the information security field might even use it!
The Microsoft Conspiracy: To Monopolize the Security Arena
Put your tinfoil hats on boys and girls. Here is another conspiracy in action.
A comment at Neowin.net brings up an interesting theory: "So which company stands to benefit the most from the surging demand for security software? That's right: Microsoft. "
This is interesting, even with my tinfoil hat sitting on my lap protecting my genital region from the death rays emitting from my monitor, caused by the Windows XP video drivers.
Ok seriously though, this is kinda far fetched. The thinking of the comment is that Microsoft is going to dominate the anti-virus market with the purchase of a Romanian software company called GeCAD, which is apparently now integrated into Longhorn.
Simply thowing technology at the problem isn't going to solve it. It is going to take years (possibly longer) for Microsoft to rebuild any sort of trust as it relates to security and its customers, and get their approach to information security right. Consider XP's firewall. Before the release of XP everyone was saying the personal firewall market will die because of Microsoft's new firewall. With XP now out for a few years, we can see this isn't the case. Why?
Microsoft is not an information security company. Their expertise is in writing consumer software, and their focus is not on getting information security right. During their functional design phase, the firewall in XP it appears it was not designed with security implementors in mind. Which is why its interface, its interaction with the system, and its whole approach to packet filtering is below standard. And is why more personal firewall vendors have done well in recent years. There is a good chance the same will go with the anti-virus.
As Microsoft continues its shift to more secure coding practices, new code will be more stable, but legacy code will continue to be riddled with bugs. Let us remember that every iteration of their latest OS has an NT4 core.... which is scarey to say the least. Not that NT 4 was bad at the time, but it wasn't designed with secure coding practices in mind.
As Microsoft solves their patch management problems, their code audit issues, and gets itself on track for their Trustworthy Computing Initiative, they will indeed release "shielding technology" (A Ballmarism quote) that will make their platforms stronger. Yet even in the face of this, because most information security specialists, system administrators and IT managers do not trust Microsoft when it comes to security, Microsoft will not yet dominate the security industry.
The information security field has seen a lot of consolidation and many small companies get gobbled up in the process. Microsoft was another company swallowing up pieces of technology to assist them in an area they are weak. And that is good business. They had two choices. Build it or buy it. Much more effective to do the latter when you can. Hopefully the anti-virus component will be more successfully integrated than the XP firewall ever was.
So lets not become vexed because Microsoft bought an anti-virus company, nor shall we use our tin hats for anything more than a solar powered popcorn maker. (*yum*) Lets hope that the way Microsoft benefits is through a more secure platform for critical business resources. Then its not just Microsoft that wins, but us all.
Posted by SilverStr at 08:46 AM
September 22, 2003
Idiots Guide to Network Analysis
It definitely has been dumbed down, but if you have ever wanted to get an introduction on how to sniff packets on yer network using Ethereal, this does a good job of it.
Posted by SilverStr at 07:19 AM
Microsoft fake emails
Went away on a shorty holiday to the interior lakes to collect my thoughts and re-energize. What do I find when I get home? 1970 fake email messages that passed spam assassin that have malicious attack codes attached. Even though Spam Assassin did catch over 300 of the messages, it still allowed WAY to many through to a single account.
After spending an hour wading through the imap inbox I got it cleaned up, only to have another 75 delivered or so. That means I was getting hit with more than 1 a minute and escalating. Me thinks someone finds it funny to nail my mail server with W32.Swen.A@mm. *sigh*
I fixed the problem by adding a filter in postfix to simply filter out exe files. Well, actually since I was reconfiguring the server with some pcre goodness I set it up to filter out any executable content from even entering the mail spool.
I had this configured in exim for years, but when I moved to postfix I decided I would like to try it with a more lax policy as it relates to attachments. Seems if you let your guard down even a little, it will be nailed. Hard to do anything but scold myself for this one. I preach about least privilege, and then allow attachments which have no business being sent in email. Alas, we are all human. And we CAN learn from our mistakes. I sure did.
So, if you feel like sending me attachments that are not compressed or encrypted with one of my public keys, it is probably going to get rejected.
The fix stopped the attacks cold... with only 3 new fake emails in the last 12 hours. Much more manageable. Thank you must go out to the idiot who wrote the damn attack, as I appreciate you keeping me on my toes and making me realize that the weakest link is the human factor, and that includes me.
September 18, 2003
No honor amoung hackers
You will never know the best hackers in the underground. They stay quiet and never get caught. They don't do it for the exposure, or to impress their friends. They may misguide and redirect you from what they are really up to, but they never are sloppy and talk about recent hacks. And they don't befriend other hackers and brag about anything that may have transpired. You would not notice them in a crowd, as they try not to stick out.
Why? Because trust is to fragile in this world. In a mere moment, your best friend can become your enemy. This has never been more true than David Smith (the Mellisa worm writer) who broke down and helping the FBI catch other virii writers only weeks after his own arrest. I have no clue if he got a reduced sentence, but within no time he turned on Jan DeWit (Anna Kournikova virus writer) and Simon Vallor ("Gokar" virus writer) by telling the FBI about their exploits, and even recording online conversations.
There is a lesson to be learned here, not just for hackers. In this world there are too many secrets taken for granted. (Oh gawd Sneakers flashbacks... make it stop!) George Bernard Shaw once said "The only secrets are the secrets that keep themselves". And he has never been more right.
More to the point, no one can be trusted. Not your friends. Not your co-workers. Not your enemy. You need to be responsible and assume the worst. It will never stay secret otherwise. "Their" intent may turn on a dime. Want proof of that? How about a trusted Net4U employee who was mad at his boss and posted customer data, including credit card info, on the web. With 70% of intrusions happening internally (A CSI/FBI 2002 stat), its no longer about trusting your own people. Its about seperating roles and responsibilities. Its about applying least privilege. Its about giving information out on a need-to-know basis.
You know, sometimes I wonder if we ran our lives and our businesses modelled after the Bell-Lapadula (BLP) security model, we might be better off.
September 17, 2003
Art of the Saber
Just finished watching an excellent fan-made movie called Art of the Saber.
I am impressed, mostly because they have never done anything like this before, are not film students or actors, and just wanted to have some fun. You should check it out.
Posted by SilverStr at 10:30 PM
New DCOM Exploit: It's HEEEEEEEERE!
Well, Bruce Schneier was the first to find a working exploit. Reports everywhere point to the fact that Bruce found the source code on a public website that virogen users frequent and has tested it in his lab at Counterpane.
If you didn't heed my warnings last week, perhaps NOW you will listen.
Don't let the bastards win. If their attacks become futile, they will eventually grow tired and move on to something else.
September 16, 2003
New OpenSSH exploit
Well, this morning I was privy to a discussion and viewing of a new OpenSSH exploit running around. Slashdot even has a thread on this now.
Although very few sources have a patch in their respective package trees (nothing in apt tree as of 30 minutes ago), you can either upgrade to OpenSSH 3.7 or grab the patch here and compile it yourself.
Posted by SilverStr at 10:07 AM
Good interview with Adrian Lamo
Well, unless you have had your head in the sand you would have heard by now that Adrian Lamo (aka the Homeless Hacker) surrendered himself last week to the FBI, and was subsequenctly released on bail.
CNET has a pretty good interview with Adrian as he was surrendering, and really shows a contrast to how Mitnick acted during his "time". TechTV even has an exclusive video interview with Adrian that was interesting.
Interesting events include that Darcy (Kevin's girlfriend) has set up a legal defence fund over at freelamo.com, just like she did with Kevin moons ago.
Will be interesting to see how this plays out over the next little while.
Posted by SilverStr at 09:48 AM
September 15, 2003
Secure Programming Recipes RSS Feed
There has been an OR&A book I have wanted to get for a while called Secure Programming Cookbook for C and C++. (Note to people who would like to make my day, I would love a present on my doorstep :) )
Anyways, John and Matt are people I have known since way back. They are the authors of RATS, and are quite active on many of the mailing lists we are on. I am pleased to say they have revamped their book web site with some really good stuff.
They even have a RSS feed for the secure coding recipes section, which means I no longer have to visit their site in my browser, it will come to me in my aggregator. ;-)
Kudos to John and Matt on yet another area of my life simplified. Good job.
Posted by SilverStr at 08:42 AM
Rough Auditing Tool for Security in Windows Code
Got off my butt this morning (since I was up at 6am anyways) to finally get around to tweaking my development platform with some of my favorite auditing tools on Unix. I was ready to fight with compiling some source code auditing tools under cygwin.
But I didn't have to! The guys who wrote RATS ported it to windows! You can grab it here.
Works great. I have always liked RATS. It points out areas to really look at the code. I am happy to say it found about 6 areas to look into, and my code had already addressed them all. (With the only high priority being a fixed size local buffer which I am handling properly)
Source auditing goodness free on Windows. Who would have thought.
Posted by SilverStr at 08:11 AM
September 12, 2003
Smashing the Mac For Fun & Profit
If you have spent any time in the infosec field and deal with hacking, you will have obviously read Aleph One's "Smashing the Stack for Fun and Profit". This is one of the required readings in the field. It elegantly explains how to overflow systems on x86, and goes in great depth on how that is done.
Not to be outdone, B-r00t just released "Smashing The Mac For Fun & Profit", which does the same... but for the PowerPC / OSX. So if you would like to develop shellcodes intended for use in exploitation of vulnerabilities discovered within Apple's OSX OS, this paper is for you!
The old days where Apple fans could say their system was hack proof is over. (Well, it was never true to begin with, but I digress).
Good read. I learned a few new things about the PowerPC that I didn't know.
Posted by SilverStr at 09:53 AM
Cringely on Identity Theft
While standing on his pulpit, Cringely had a good article on identity theft. While finding he had his own mail stolen, he came across a credit report (which he didn't order) that got him thinking about ID theft.
Near the end of the article, he shows how he was able to get 300,000 records of personal information... enough info (Name, SSN, Address etc) to order online credit cards if he so desired. Not shocking is the fact that he just realized some federal agencies have been using citizen's SSN as a unique ID number in their databases... which only changd last year. This has been a long standing joke in the underground for over 10 years.
It's a good read. I am kinda happy I live up in Canada, where our SIN number is protected differently. (Not by much though)
Posted by SilverStr at 09:34 AM
September 11, 2003
Defeating the stack protection mechanism in Windows 2003 Server
David Litchfield has released an excellent paper on how to defeat Windows Server 2003 as it relates to their stack protection mechanisms.
This is really against the .NET compiler which supports the /gs flag (which is now on by default btw) which is used to build in stack protection.
He has some brilliant suggestions for Microsoft on how to solve these problems, and significantly reduce these threats. My favorite is the fact you can overwrite the cookies Microsoft uses to prevent the stack from getting overflowed.
It is quite simple really. Microsoft injects a cookie into the stack (an unsigned int) that can be checked against a stored location in the .data section of the module. If they don't match, we have an overflow. Here is the problem. You can overwrite the information in .data, rendering the check useless. His recommendation? Use VirtualProtect on the memory page and make it read only. No duh! Why didn't I think of that.
This is great as it solves a different problem I was having in my kernel-mode driver. I totally forgot about things like VirtualProtect (and MmSecureVirtualMemory in the kernel), which will allow me to lock a page of memory I need to prevent tampering in.
Thanks for the insight David! Great paper.
Step-by-Step Guide to Securing Windows XP Professional in Small and Medium Businesses
With the plethora of information about the latest HUGE RPC exploit (with which we could possibly see BlasterII in the next few days) I've decided to not blog about the obvious, like UPDATE AND PATCH YOUR SYSTEMS. I won't tell you to do things you already know, because you always UPDATE AND PATCH YOUR SYSTEMS.
Subliminal messages aside, instead of telling you what to do, (and where to go when you don't listen to me) I will point you to an interesting step-by-step guide to securing Windows XP for Small and Medium Businesses that Microsoft released yesterday.
Posted by SilverStr at 10:33 AM
Red vs. Blue
These guys took the Halo game engine and made some HILIARIOUS movies with really kewl attitude. You have to watch the movies to see what I mean!
Posted by SilverStr at 09:23 AM
Yesterday our local CIPS Security SIG had a presentation and discussion on corporate espionage techniques, and how to battle it. I am not permitted to discuss what was said in the meeting, but I am going to take this opportunity to discuss one aspect that dawned on me as we were talking.
In discussion about techniques for sweeping for listening devices we got into the topic of how cell phones can do neat things to computer monitors when they are close. And that makes sense. RF transmissions affect normal CRT type monitors. But your not going to walk around your office with a monitor looking for bugs.
Anyways, think of your cell as a bug itself. Most newer phones have an "Auto Answer" feature, which immediately upon signal answers the phone. Nice little feature. Now turn off your ringer. You now have a listening device you can use as an open mike. You can hide a cell phone in a board room hours or even days before, and then simply call into the meeting in progress and have an open mike that no one knows about!
This is where I think cell jammers would be useful. Remember when I talked about
Anyways, I had a great time spending hours discussing these techniques. Quite enjoyed it. Atleast I did until I started driving home. Took my OVER 4 hours to get home. (Normally takes me about 1h 15min) Apparently a rig flipped and oil spilled on the highway just before the bridge, and it took hours to clear it before I could move. Ugly drive home.
Posted by SilverStr at 09:19 AM
September 08, 2003
I AM SICK OF UNICODE_STRING POINTERS AND THE LACK OF USEFUL STRING FUNCTIONS IN KERNEL - MODE RUNTIME LIBRARIES.!!
Enough said. You can now go back to your regularly scheduled program.
New Security enhancements in Web Services
MSDN released on its Security RSS feed information about a WS-Security Drilldown in Web Services Enhancements 2.0.
If you want to really understand how to implement security, trust, and secure conversations in the Web services architecture, this is something you should read.
I am still not keen on the idea of Web Services, mostly because of my ignorance on the topic. But this article showed me just how easy it is to integrate many components of the architecture into any design.
I spend 90% of my day writing kernel-mode code, so its pretty much useless to me. Unless of course some of you want to pay to expose your Windows kernel to web services *lol*. No, I thought not.
September 07, 2003
Xcode: Apple’s Answer to Visual Studio
If you recall from a previous entry I did a few months ago, I am quite impressed with the latest developments coming out of Apple, especially XCode.
The Software Development Times has published an article about Apple's answer to Visual Studio, which is none other than the XCode I mentioned!
If you are interested in developing on OSX, consider reading this article to get an understanding about the wonders of XCODE. For me, the best thing about XCode would have to be the distributed compiling (nothing like stealing computing resources from the graphics department :) ), zero-link builds which reload binaries on the fly and predictive automated compiles. All neat features for the power developer.
What impresses me most about Apple's approach to developers over Microsoft's is the cost. To get the right tools, APIs, licenses and build environment (not to mention MSDN itself) you will easily be shelling out thousand and thousands of dollars (I think my total so far in the office for MSDN and the DDK/IFS is over $5000 just to get started on the Microsoft platform, for each developer). Apple includes everything for free in the OS they sell for $129. Now lets be fair, the market share is on the Windows platforms and Apple is trying to draw more developers to its own platforms, which is why they need to make the tools available for almost nothing. But after developing code myself on Unix platforms for what seems to be eons, it is a major change to move from free open source tools to the commercial ones available on the Windows platforms. Hard to complain though when I expect to make a living on said platform.
But I still admire Apple's position, and their latest version of OSX. Maybe someday I will even get a chance to own a PowerBook. Just imagine, I could do kernel-mode drivers for Windows through Virtual PC and still have all the powers of OSX to boot. Of course, I would need over a gig of ram, and be willing to deal with the huge slow downs of having two virtual machines running two copies of Windows at the same time (one dev to run WinDbg and one running my ring zero driver). Ya I'm nuts.. and in dreamland. But its fun to have dreams.
September 06, 2003
GSM Security Cracked
Reuters has a report that some Israeli Scientists cracked GSM Mobile Call Security, allowing them to listen in on any conversation on the network, as well as determining the parties on both ends.
Apparently it is getting brushed off, as they feel its not a practical attack that can be done without a lot of monetary investment in the needed hardware. This is just dumb. You don't think that the signal intelligence agencies of the world wouldn't invest in such a device if it means they can listen in on all cell traffic on the encrypted network? Of course they would! More importantly, so would many criminal elements!
They say an upgrade that fixes the flaw has been updated in some areas in July, and that 3G networks have an entirely different algorithm, rendering this attack useless. Guess the world should scrap GSM and go to C/TDMA. NOT.
Time to move everyone to 3G.
Posted by SilverStr at 01:51 AM
September 05, 2003
What's in my Information Security Toolkit?
I have received a few emails of late from people asking which tools I would recommend for them to use as part of their information security toolkit. I have also been asked what tools to learn first.
Well, instead of recommending individual tools that I use, I would highly recommend that you instead grab the Knoppix STD (Security Tools Distribution). It basically has everything that you would want, and can be carried almost anywhere. I have used it for a while now along side my other stuff, and it works great.
As to what to learn first, that will be uniquely different in individual environments. As I have no clue what your background is, I can't tell you where to start. For a moment, let us assume you understand your network, servers of all types (Windows and Unix) and TCP/IP. In that case, I would recommend you becoming intimately familar with the following (which are in alphabetical order so not to show my favoritism):
Guess what? All these are available on the Knoppix STD CD in one form or another, along with lots of other tools you should learn!
Give it a try. You might like it.
Some of my kewl XP Registry Hacks
When I was talking to Cuv after our squash game last night we got onto the topic of securing the desktop in Windows, especially against user stupidity.
As I promised, I am posting some of my kewl registry hacks I have collected over the years to lock down a machine. I would credit the original sources, but its been years and from so many people I don't immediately remember all the sources. But there are TONNES that you can find on google. These are just my favorites.
Please use it at your own risk. If you nuke your machine I AM NOT LIABLE!
Still with me? Kewl. Ok, you don't need an intro then... but I will give you a tip. If you want to change something for a SPECIFIC user, and you are administrator, you will need to get the associated user hive, as HKEY_CURRENT_USER is invalid. You can find the users somewhere in HKEY_USERS. I typically just open the hive and look for the user's name. Works every time.
So lets get to it!
Now when you right click on the start button, you should no longer be given the option to Open, Explore or Find.
Additionally, to specify the display style, create a new string value called "WallpaperStyle" and set it to either "0", "1" or "2" according to the list below.
0 - Centered (Default)
And my all time favorite:
Create a new DWORD value and name it 'RestrictRun' set the value to equal '1' for enabled or '0' for disabled.
Then define the applications the are allowed to be run at the key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun].
Creating a new string value for each application, named as consecutive numbers.
Reboot the computer for the changes to take effect.
Now, this is not path or MD5 verified, so the theory is someone could alter the name of a malcious code sequence to something approved and bypass this. But.. if you remove access to explorer, they can't even do this.
At Arcterex's last LAN party this was what I used when I created the "gamer" account on one of my boxes that Cat5 tried to hack, only giving access to Quake3, Urban Terror, Unreal and RTCW:Enemy Territory. With a combination of that and strict perms for least privilege, I wasn't to worried about people screwing with the box. Of course this isn't going to make you hack proof, but it will limit the destructions users (or students) may do to your machines.
September 04, 2003
Batching the Patching. Good or Bad?
Today I read an email from Thor Larholm over at PivX Solutions in which he had some comments about Microsoft's latest Security Updates. (In case you didn't know they released 5 Office updates yesterday.)
He said something that got me thinking:
"Which leads to the positive side, it is definitely great to see Microsoft releasing 5 vulnerabilities in a single day, rather than releasing a new every other day. They must have listened to the feedback from administrators who tired of inefficient and constant patch jobs, and should definitely adhere to this practice in the future. It may be a small step in optimizing the entire patch process, but it's a positive trend."This is quite an interesting view. Optimizing patch management by sending these patches in batches. It makes a lot of sense because administrators can get more done in a single pass, patching multiple holes in a single session. But it got me thinking about this a bit more.
Traditionally, these patches need to get tested in a "clean room" and have to go through a series of steps before being deployed in the production environment. These steps can easily take a few days as you ensure that the integrity and availability of the services will not be hindered by the upgrade. Anything that is "critical" can be sidestepped and addressed immediately. Along this path, would having one patch every other day make a major difference, other that the roll back in testing (which I believe would be minimal if a structured methodology was used)?
This will be uniquely different in every environment. But I am not sure if I would appreciate any vendor holding back a patch to fit a release cycle. Microsoft used to be bad with that when they would try to put everything to be fixed in service packs, and make critical bugs get cleaned up in unannounced hotfixes. Now adays, it seems once the patch is ready it gets released. I would guess (and its a wild ass guess at that) that these 5 bugs came out of the Office maintainers at the same time, and that is why the patches came out the way they did.
What are your thoughts? Drop me a line (email@example.com) or comment here. Do you believe that batching the patching is better or worse in your environment? For those windows administrators, do you use a test deployment before it hits the production environment, or do you just cross your fingers and patch?
It's an interesting topic for discussion. Thor ended his email talking about how the patches aren't the problem, it's getting the administrators and end users to actually apply them. And I agree with him. But I am curious to how many administrators actually go through a properly laid out patch management strategy or not. I'll bet most don't (which is why these worms seem to do so much damage) rendering batching no better (or worse) that updating with a blindfold when you can find time.
27 million victims of ID theft
I think I realize why the "gang" got together to form the The Coalition on Online Identity Fraud.
InfoWorld reports that over 27 Million Americians have had their identity stolen in the last five years. You can read the article to get the stats, but its just nuts. Almost 10 Million people had their identity stolen just last year, and cost businesses and financial institutions over $48 Billion in the same period! On top of that is the fact over $5 Billion came out of pocket from the victims themselves!
Posted by SilverStr at 01:46 PM
September 03, 2003
The Coalition on Online Identity Fraud
Well this is interesting. A bunch of online retailers, vendors and software makers have gotten together to form the Coalition on Online Identity Fraud (including Microsoft, eBay and Amazon) in an attempt to team up to fight online identity fraud.
What I found more interesting were some of the other founding members like RSA, McAfee, ZoneLabs and Versign. Will be interesting to see what (if anything) they can agree to do in the coming months. If they truly do share information on computer crime and stay ahead of trends, this could be a good start. Of course, it could just end up like a political sideshow. We will have to see.
Posted by SilverStr at 01:15 PM
Just received Bruce Schneier's new book "Beyond Fear: Thinking sensibly about security in an uncertain world" from Amazon. Well I bought it on the day of release and it finally showed up yesterday.
Anyways, I have only had a chance to skim through it, but it looks like a great book. I would expect nothing less from Bruce. This isn't like Secret and Lies in that it talks about all realms of security, not implementations of information security. After my rant yesterday I love this quote:
Searching kids and grandmas actually improves airport security, but arming pilots makes us all less secure.The book looks interesting. In traditional Schneier fashion he approachs the topic without distilling any fear, uncertainty or doubt. He tells it like it is.
Can't wait to take some time and read it one of these nights this week. I'll give my book report sometime next week when I am actually done reading it in depth and have time to blog about it.
Posted by SilverStr at 10:26 AM
Blocking ads may also block Windows updates
The Sydney Morning Hearld reports that since Microsoft did a zone upate for its DNS servers on August 18th to deal with the upcoming DoS of recent worms (smart idea, wish I thought about that. Ok so I did... as did many others) many people who use the hosts file trick to block ads have found they can no longer do Windows updates.
Why? Well Microsoft now uses Akamai to deal with caching, and this is typically blocked in the hosts file when doing the ad blocking trick. For those who don't know, you can easily stop ads (or any other content) from loading by routing the servers name resolution to 127.0.0.1 (localhost).
The fix for this update boggle is easy. Remove a248.e.akamai.net from your hosts file.
Posted by SilverStr at 10:17 AM
September 02, 2003
Another commerical biometric failure
For a refresher, Logan airport is where more than half the terrorists boarded during the 9/11 attacks.
I really hope biometrics get better soon. Up here in Canada we are now looking at new passports with biometrics, and the arguement at government is which one is the best.
Look, technology is not going to solve this if we don't have enough diligence to deal with everything else relating to it. The weakest link is the human factor. You know what would be better than a computer catching a terrorist? How about a well trained person doing passport checks and weeding out suspicious activity? How about MORE enforcement with better trained police and airport security to prevent the acts that HUMANS are taking. How about better cockpit doors to prevent unauthorized access. Look, directing huge airplanes into buildings isn't all that technical. Why do people think it will be solved with technology? I am all for better methods in detecting threats, but what happens when the "terrorists" are not yet in the database? At that point, facial recognition is useless.
But I digress. The point is that risk mitigation, even in physical security has to go beyond whats in front of us. What good is detection if we have no real mechanisms of measurement, and worse yet response. What do I mean? Consider this. In government "clean room" tests, the USA Today article says it had a 90% success rate. Sounds good right? Well I don't think so. What happens when we throw more security at something? We normally get a false sense of security, and become lax in our procedures. It is human nature. In other words, 10% of the time KNOWN terrorists will get through, and will probably increase as our methods for detection and response are left to technology, which is prone to fail. The article doesn't go on to explain the levels of false positives and how they weed out the events, but the false negatives are way to high.
Someday biometrics will mature. But its not quite there yet. We need to take some of these resources and train the personnel that work with these systems better. We need to hire more agents responsible for protection (from police to bodies properly checking luggage) to deal with detection, and hire even more people to deal with response. The level of competancy and bodies to deal with forensic investigation, signal analysis etc at all levels has a ways to go. And we need to get biometric companies to get more involved. To look beyond the fast buck and really make systems that work.
There is nothing wrong in making money in the security industry. But you need to do so in a responsible manner, and avoid using the FUD factor as an agent of your marketing efforts. Build systems that work and that you can be proud of. Thresholds HAVE to be better than 90%. Get with it.
Posted by SilverStr at 12:17 PM
Worms bring out the Hatred in people
Phil Karn (aka KA9Q) has a hatred for Microsoft and their lack of security. Well explained one at that.
It seems Microsoft used some open source/public domain code in Windows XP which had Phil's email address in it from work he did previously. Microsoft was kind enough to give him credit in a release note... which ended up doing more harm than good.
Why? Well Klez and SoBig found the email address and bombarded him ... repeatidly. Gotta love worms that scan harddrives looking for email addresses. Basically, there is a chance that every XP machine that was compromised has had an opportunity to fire an email of the Phil.
Phil shows a nice chart of the attack. By the end of August he was getting hit by over 900,000 email spams from the worms. Oh how nice.
Goes to show you the side affects of Microsoft's mistakes. We all suffer from it. The lack of security of others affects me personally as I have to defend against the compromised hosts. Of course, now if you are an open source developer whose code gets used by Microsoft... you have a chance to become a target as well. *sigh*
What I can't fathem is how we got this far. I have a lot of respect for people like Michael Howard over in the Secure Windows Initiative. But even still, I don't think half the campus is TRUELY listening to what the security gurus on their own campus are saying. Taking a month off to audit code doesn't seem to be enough, because these latest attacks (which are getting incrementally smarter and more creative) all come from code that WAS audited.
Now I have heard the comments about Microsoft being the victim because of their marketshare in the industry. That doesn't fly with me. They may be a bigger target, but they have the resources to DEFEND against it they CHOSE to. (Notice I said CHOSE to, this is a senior management issue... not something the programmers or lower levels can do about it) With $50 Billion in cash, if they spent even a billion more on securing existing code they would probably make it back within a year or two... from those customers they are going to continue to lose or speak out in the midst of this. Don't believe me? Check out this open letter to Tom Ridge(Homeland Security guy) from the Computer and Communications Industry Association. Imagine if the US government started listening to this, and Microsoft lost its government contracts. Bet you then they would take more action.
Frankly, this is why I left my last company and formed a new one. We need creative solutions to defend against these and new unknown threats. Its sad to say, but Microsoft has created a market for us. As they continue to miss out on these opportunities to fix their problems and take care of their client's concerns in relation to security, there is a pain that needs to be soothed. And more to the point, instead of bitching about the lack of security, I want to be proactive and do something about it.
By the end of the year, you'll see how.
Posted by SilverStr at 09:00 AM
September 01, 2003
Cellphone jamming scam exposed
The Register has a pretty good story that gave me a chuckle this morning.
It seems a gentleman in the UK was selling cellphone jammers to hotels, B&B and bars in an effort to drive customers to use expensive hotel phones instead of their own cell phones.
Quite ingenious if you ask me. Illegal. But ingenious. Apparently he was buying these in Asia and reselling them for 75 pounds and doing quite well. Till he got caught.
I don't know what makes me laugh about it. Not sure if its the unique use for jamming, or the fact he got caught. Funny either way. Personally, I think this would fly better in movie theaters. I am tired of cells ringing during the movie. Perhaps I need to pick one of these up and take it with me when I go see the Return of the King.
Posted by SilverStr at 09:06 AM
Blaster may have contributed to BlackOut 2003
Well, we seem to be coming full circle. Everyone was touting that Blaster had nothing to do with the east coast blackout. It was impossible. Well, apparently not.
ComputerWorld reports that although Blaster did not directly attack control systems of the power grid, it may have contributed to the outage. It seems that due to the very nature of the worm's progagation characteristics, the worm delayed critical signalling messages between the power plants long enough to prevent the automatic protections to properly handle the cascading effect of the outage.
It would appear that when the software was designed the threshholds for stress to ensure timeliness was to low. This is where threat modeling really comes into play. In the last year I have spent countless hours evaluating and re-evaluating better ways to do threat modeling both individually and through groups. I found STRIDE threat modeling the most effective way to have the modeling, and can see how... if they would have used it here, they would have immediately seen the weaknesses they were exposed to. If they had an issue needing timeliness of information, mechanisms should have been provided to better guarantee that the signals got through.
How? Well, I have no clue how they created their communication channels. But off the top of my head they could have used dedicated lines for such information. To expensive? Ok. bandwidth throttling with quality of service (QoS) to ensure that such information took precendence. I can't guess what is the right solution, I wasn't there. But its apparent the software engineers didn't account for it either.
I have a phrase I love to say now adays. I don't know where I picked it up, but its bang on in these situations. You cannot build secure systems unless you know the threats to which you are susceptible.
More on Microsoft's new Patch Management Strategy
Well, on the heels of my post last week on Microsoft working on a new patch management system, NetworkWorld Fusion has a more rounded report discussing how Microsoft is going to revamp patch management software.
Should be interesting to see in the next 6 months. My only worry is if Microsoft does automated updates without our consent. I do not trust Microsoft's patch strategy right now. It is common for it to fail, components to not install correctly, and the install to break other software that is working fine.
I would rather see a mechanism to automate installs on machines I wish to allow so I can test it in a "clean room" before rolling it to the production systems. Once I am ready, a single command could then push the msi to all machines on the network by group, allowing me to do a staged deployment.
I won't hold my breath on such a strategy. But it would be nice. If Microsoft screws it up in the next 6 months maybe I will have to do some market research and survey a large group of corporations and see if this would fly as a 3rd party product. Who knows.
Posted by SilverStr at 08:34 AM