The Crock^H^H^H^H^H Art of Intrusion

Information security professionals sometimes are looked upon as soothsayers of the digital divide. Typically the outside world cannot fathom what we do, and how we do it. There are many examples I can give you to illustrate this, but the point is that many times we are misunderstood.

Newer people to the infosec world love to try to use FUD (fear, uncertainty and doubt) to push their points home. This is normal, and it can be outgrown if the professional actually spends any real time in the field and realizes that information security is about mitigating risks, not eliminating them. The problem exists when these people get their "learning" from books written by witty hackers of the past.

If you are a Kevin Mitnick or Adrian Lamo fan, you probably are not going to want to read any further.

Still with me? Good.

The problem I speak of is wearing blinders and thinking modelling after self-professed crackers is a GOOD thing. These guys have actually stated that they had good intentions when they were breaching systems. They did it for curiosity sake and meant to cause no real damage. People like Lamo have had WorldCom, SecurityFocus and TechTV giving him praise for his efforts and promoting him as an expert. Mitnick has already written a book about his social engineering skills in The Art of Deception, regularly speaks at security conferences and has started his own company. Although I cannot deny these gentlemen have great skills, promoting yourself as an information security professional because you can relate to them is a CROCK.

Security is not a game. You will not become a respectable information security professional by 'doing a righteous hack' or simply reading a single book like Hacking Exposed or Mitnick's next one called The Art of Intrusion. Which gets me to the reason for my post.

The Register posted a good article about Mitnick calling out to the hacking community looking for good stories to add to his book on the art of intrusion. For $500, you too can be published. *snicker*

This is just dumb thinking. Profiling your attacker is one of the first logical steps when evaluating the threats you are susceptible to, and what risks you need to mitigate. What keeps me up late at night is not the nuisance from egotistical script kiddies that want glory in a book from Mitnick, or a few minutes on TechTV with Leo Laporte. It’s the professional hacker that is going to use these new blended threats we are seeing in the real world to cause real information theft or maybe terrorism on our critical infrastructure. It’s the insider attack from a disgruntled employee that will bring down an entire corporation to its knees, or perhaps destabilize parts of the economy. blah blah blah. You get my point.

You see the real hacker (evil intruder connotation here) isn’t going to tell you about his exploits. He doesn’t get caught. He treats the digital domain as a field of espionage and respects the boundaries that he plays in. (Although I use the term respect loosely here)

This is no better then the security vendors who offer money in contests to breach their new wiz-bang device. The reality is there is nothing wrong with vulnerability assessment, but this is not the way to go about it. A professional hacker isn’t going to waste his time breaching your system to gain a quick buck. If he has any real intent, it will be to make big money later if someone installs your new device in a real environment where the target is unaware, and has information resources worth something to the attacker. Typically this sort of ‘we are unhackable’ attitude comes from inexperienced vendors and professionals that are not seasoned in how the attack will work... and who will typically have very little real-world experience.

So what am I trying to say? Well, if you want to be an information security professional don’t model after these guys. Feel free to read and learn from some of their experiences, but put it into context. Misguided in their pursuits, what they did was ILLEGAL. It was UNETHICAL. And it was WRONG.

They used the guise of ‘curiosity’ to shield them from the very fact that they were TRESPASSING. The consequences of their actions had DAMAGING after effects to the target, if they knew it or not. There were REAL COSTS associated with having to deal with the cleanup of the incidents, and the time associated in the evaluation and analysis of what these attackers did. Worst of all, they continue to promote the action as something good for the security industry, when IT IS NOT.

There was a good analogy that Lawrence Walsh wrote about in a Information Security magazine article a few months back about Lamo that I thought was bang on:

You see an opulent house with many ornate windows and doors. Out of curiosity, you try to enter. By chance, you have a ladder and find an unlocked window on the second floor. From Lamo’s perspective, it’s completely acceptable to enter, rearrange the furniture and make a few long-distance phone calls, so long as you tell the owner how you did it.

That thinking is WRONG. They undermine everything an information security professional should stand for, and its right that they be prosecuted to the fullest extent of the law. I wouldn't put much faith in 'war stories' sought out with small amounts of money from the hacking community either. The quality of the information of the attack is just not there.

Secure Coding: Keep an eye on inputs

David Wheeler has another input validation article over at IBM looking at the how to find and secure the gateways into your programs.

This article discusses various ways data gets into your program, emphasizing how to deal appropriately with them; you might not even know about them all! It first discusses how to design your program to limit the ways data can get into your program, and how your design influences what is an input. It then discusses various input channels and what to do about them, including environment variables, files, file descriptors, the command line, the graphical user interface (GUI), network data, and miscellaneous inputs.

Happy reading.

Security Testing with csUnit

Recently I have been wrestling with the idea of providing unit testing within our codebase. Wim has put up some good info pointers in his Miniwiki about automated unit testing, which included a link to csUnit, a C# unit testing framework.

Nick Smith wrote a good article on how to Write Unit Tests for C#, although he uses dotUnit, which is a .NET branch of JUnit, a unit testing framework for Java. It seems clean enough, but for some reason I like csUnit better. No real intellectual basis for this... just a feeling. Not sure why.

This DOES have me thinking about security tests in my .NET code though. There is no reason that these test harnesses cannot be retrofitted to supply security testing per method. I just am not sure I like how the 'extreme programming' community approach unit testing in this regard. I don't know how practical it is to write the tests BEFORE the code. I think it would be easier to write the initial security tests for each method once the method is written, so you know what to test for, and more importantly what the resiliency reaction should be in the face parameter validation, tainted data injection, state manipulation etc.

Another important tangent to this is trying to make this integrate across the project scope and build scripts. Unlike C, C# did not appear to have clear preprocessor directives, to ensure the tests are not compiled into the IL for production release builds. Scott originally thought using ConditionalAttributes would work out, and later found that there are tonnes of #if#else conditions and other C# preprocessor directives. Seems no one knows about them... but they ARE there. I love learning something new every day. Now if/when I implement this I can go write tonnes of C style DEBUG blocks around the testing framework.

What are other peoples experience with this? Anyone out there doing C# unit testing? Any focused on security testing?

The Eight Rules of Security

Recently I have found myself with the opportunity to continue my ambassadorial role as it comes to information security, and provide some teaching on the basics of security as it relates to business. As I sit here and reflect on just what should be covered in a span of 15 minutes to give the most in depth understanding, I realize that its not such a simple task. Traditionally, people look at the infosec field as something to do about firewalls and antivirus. They treat technology as THE solution, instead of simply the enabler. And it’s this fallacy that weakens any security implementation. Security is a process, not a product… and should be treated as such. Through the security lifecycle, policy and procedure needs to take precedence over implementation. It’s a bigger part of the circle for a reason.

Anyways, as I think about it more I realize that there are eight components of any good security decision. This isn’t new, and has been covered off in writings from people like Kevin Day years ago. And it still applies today. What it comes down to is eight simple rules (commandments so to speak) of information security.

1. Rule of Least Privilege – Only give enough access to a subject as required to do their job. My favorite quote is “The best security model is the one that lets you do anything… <pause> …that you are supposed to do”. A proper policy of least privilege will allow a subject to completely do their tasks without incident. It is only when they go AGAINST their policy do they come up to barriers. It’s a subtle but important distinction. If you make the safeguards to stringent or complex, people will try to circumvent it so they can get their job done. Yet if you apply it correctly, they will rarely know about it unless they try to do something they are not supposed to do anyways.
   
2. Rule of Change Management – When you make a new change you expose your business to new risk. Any time a change is to occur you must consider all possible security implications. You MUST have a clear and concise change management process that you adhere to. To remain secure you must be aware of changes going on within your environment, and what impact those changes have on you.
   
3. Rule of Trust – You must understand the implications of extending trust to anyone or anything within an organization. The rule of least privilege should prevail. Although you may trust your system administrator today, what happens when he holds a grudge towards you tomorrow? Can he bring your organization down to its knees? (Consider reading the exploits of the BOFH for funny examples of just how many admins feel/think. Although the BOFH is fictional, I can speak from experience when I say many of these tactics HAVE been tried in production environments by bored admins) Although Alice may be your best employee, will she be next year? You never know. Almost 80% of all breaches happen WITHIN the network. The internal threat is a significant one, and one you must address with the rule of trust.
   
4. Rule of the Weakest Link – The old analogy still stands… you are only as strong as your weakest link. Think about it in for a second. If you spend $25,000 on that new wiz-bang security device, but allow anyone within your organization to directly access your server, how effective is it? Let me give you a more practical example. If you spend $10,000 on a new solid oak front door for your home, $5,000 for a solid metal back door, and $500 on window lock hinges, your entire home security will be worth $500, even though you shelled out over $15,000 to increase your protection. Burglars know this... and will breach through the window. The same principle should be applied when detecting the weakest link in your information security practices.
   
5. Rule of Separation – To effectively secure something, you must mitigate the risks associated with it by removing the threats around it. Isolating critical business resources and services to their own machines, followed by strengthening its offerings with the rule of least privilege, will significantly reduce the attack surface of the object you are trying to secure. I see this a lot in the field. People run their entire organization on a single server, exposing the corporation to greater risk than needed. The more subjects that need to access a given resource, the higher the chance is that it will be exposed to greater risk. Separating services to different hosts, and only providing access as required significantly reduces these risks, and strengthens the overall posture of the services.
   
6. Rule of the Three-Fold Process – Security is NOT just about technology implementation. Administrators love to install new fancy wiz bang things, but typically don’t follow through the entire security management lifecycle. You must include implementation, monitoring AND maintenance to effectively safeguard your resources. You must understand what is being monitored and logged, know when something is wrong and know how to respond to it. You need to keep up to date with what is going on and what your overall security posture is at all times. If you don’t, what good was implementing the resource’s safeguards in the first place?
   
7. Rule of Preventative Action – To effectively defend against the digital divide, you need to proactively assess the security in your environment. You need to keep aware of new security risks that are in the field; Keep current with security tracking mailing lists, RSS feeds etc. Regularly test your defences using vulnerability assessment tools before an attacker does. Maintain a strong three-fold process and keep your systems up to date with the latest security patches.
   
8. Rule of Immediate and Proper Response – Long before you are ever breached, you should have an Incidence Response plan put in place. It has been seen in the past, that when an organization responds poorly to an intrusion, they typically do more harm than the attacker did. A rational, well though out response plan can make all the difference. You need to react quickly, document everything and above all STAY CALM. Ensure you have a very clear and widely known chain of command so that the issue can be reported quickly to the right people and get a rapid response. Be discrete (yelling ‘the sky is falling’ is never productive) and follow your plan.
   

With these eight rules, you will be significantly more secure. Technology will fail. Accept it. With proper policies and procedures in place though, you significantly reduce the impact that it may have on your organization. You will find that riddled through each of the above rules, a common theme exists.... if you only followed one rule, let it be The Rule of Least Privilege. Using least privilege significantly reduces the damage that may be caused when exposed to risk. It contains suspect behaviour to the smallest set of actions and activities, and maintains the confidentiality, integrity and availability of the rest of the environment. And in the end... thats what we want to accomplish.

Happy Holidays!

I do hope everyone is having a good holiday season. With Christmas now behind us and the 2004 before us, I do hope you are as excited as I am at the prospects of a joyous and prosperous New Year.

It has been nice getting away for the week to just enjoy the holidays. A nice dump of snow has graced our landscape, even if it was on boxing day.. and not actually a white Christmas. Christmas itself was great, with Santa being extra generous this year to me. I got a nice new 4x DVD burner, and the book that I wanted on computer espionage tactics and countermeasures.

Wishing you the very best in 2004!

- Dana

Deploying ICF in Managed Environments with XPSP2

With XP SP2 beta now on MSDN, I guess its time to point out that there is an article released by Microsoft on deploying Internet Connection Firewall Settings for Microsoft® Windows® XP with Service Pack 2.

This article describes how to deploy the appropriate configuration settings for ICF on an organization network so that it is enabled and providing protection and so that communications are not impaired.

If you are looking to deploying the ICF in your organization now is a good time to start looking into how to do it with the enhancements of XPSP2.

Think of it as an early Christmas present from Microsoft to you.

Merry Christmas

This year I have been truly blessed, and I do hope you have been too. I would like to wish everyone a Merry Christmas, and a Happy New Year.

[Our Christmas Tree]

OpenSSL gains FIPS 140-2 Certification!

Way to go guys! GCN reports that NIST has approved the OpenSSL library of encryption algorithms for use on sensitive government networks.

The cryptographic module of OpenSSL has passed Federal Information Processing Standard 140-2 Level 1 tests. (FIPS 140-2).

This is great news. And its great to see open-source software get a thumbs up on the security end of things. If you don't understand why having FIPS is good, understand that it is an extensive external validation of the crypto used in the software. Check out the FIPS Standards to learn more about the validation process. If you want to understand the implications for OpenSSL, read the OSSI FIPS FAQ.

An In-Depth look Into Linux Security in 2003

Following up on the heels of my earlier post a few days ago on Windows security in 2003, HelpNet Security released an article called Reflecting On Linux Security In 2003, which talks about the state of affairs that is security on Linux in the last year.

This article wasn't of the same substance as the Windows one. It seems to be more of a he-said/she-said finger pointing article about Linux vs. Windows security than about Linux as a whole. However, there are some good points to reflect on if you take time to read between the lines. Patching is just as much an issue on Linux as it is Windows. High-profile breaches (such as the Debian project and the kernel tainted code injection attempt) shows Linux, and the Linux development process, as being just as fallable as other systems.

So what can you make of that? I dunno. Go read the article and make your own determination.

Make more Mistakes: Don't Fear Failure

Eric has published another article called Make more Mistakes which was just put up on MSDN.

More interesting writings from a CEO that is willing to admit he is not perfect. More importantly, he was willing to open up and talk about some of the boneheaded moves that he (...well most of us actually) have had to go through as we build our companies.

It's refreshing to see it published on MSDN, allowing other ISVs to benefit from Eric's experience. Along side some of his other great articles, this is great reading if you are building out as a ISV.

Veradys hires Dan Geer

I knew it wouldn't take long for Geer to get picked up. After Dan got fired from @stake for sounding off against Microsoft as a "national security threat" in the report "CyberSecurity: The Cost of Monopoly" (I talked about this document a while back), NetworkWorld Fusion reports that Veradys hired Dr. Geer as their chief scientist. A couple of interesting quotes from Dan on being fired from @stake:

Quote 1: "I was fired for saying the emperor is naked."

Quote 2: "[My job was] to make @stake look bigger than it actually is. And I was successful at it."

Of course, we need to remember this is coming from someone just fired, and openly admits that he is bitter at @stake. But its interesting to hear him finally comment on it.

NIST releases Guidelines for Mapping Types of Information and Information Systems to Security Categories

NIST has completed the first draft of Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199, which I talked about back in September.

The document comes in two volumes:

1. Volume 1: provides guidelines for identifying impact levels by type and suggests impact levels for administrative and support information common to multiple agencies.
   
2. Volume 2: includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific mission related information.
   

A goal of this document is to independently define the impact level, that is, determine the impact level without considering countermeasures or controls. If you wish to comment on the draft, NIST requests that you do so by February 20, 2004. You can send them an email at 800-60_comments@nist.gov

Happy reading!

An In-Depth look Into Windows Security in 2003

HelpNet Security published a good article on the state of affairs that is security on Windows in the last year.

The article is interesting as it quotes people typically very critical of Microsoft as having a somewhat "pro-Microsoft" attitude as it relates to Microsoft's stance towards security in the past year.

Of course if you have been reading my blog over the last year, you will know I agree with them. Microsoft has a long way to gain our trust, but they are making the effort. And thats important. By the time they fully transform the campus into a completely security-minded company, Longhorn should be getting released, and we will finally see if Microsoft really got it right.

Until then, we will have to see how they do with XP SP2. With the beta now out... it shouldn't be to long before its released!

Microsoft 'Stingray'

Winbeta.org reports that Microsoft has released its next Beta of Internet Security & Acceleration Server 2004 (ISA Server), codenamed 'Stingray'.

Winbeta.org even has some interesting screenshots:

• Autorun
  
• Introduction
  
• Getting Started
  
• Add-Ins
  
• Configuration
  
• Dashboard Monitor
  
• Configuration - General - Common Attacks
  
• Configuration - General - DNS Attacks
  
• Networks
  
• VPN
  
• Performance Monitor
  
• ISA Server Management About
  

This is an area that should be interesting to watch in the coming year. Microsoft could do a LOT to strengthen their security offering by adding the right tools here to monitor and maintain security policies across a Windows network. Time will tell if they start integrating things together.

Gain root on OSX by holding down CTRL-C

I haven't posted a lot recently on exploits / vulnerabilities since so many lists are doing a good job of that, its pretty redundant for me to do the same. However, today I just had to post this one, as it made me chuckle as I realized that Alan's PowerBook is mine :P

Security Tracker reports that if you have a USB keyboard and you hold CTRL-C during a boot/reboot it will cause "init" to fail and give you a shell. Of course, you have to have physical access to the box, and should thus consider the box suspect anyways if someone can plug in a USB keyboard and then perform the CTRL-C deed... but thats not the point.

There is a fix for it. I suggest if you run OSX, that you go get it.

Update: There is an article about this by the original reporter with step-by-step screenshots on compromising the box if you are interested.

MPx200: My next phone?

Well, I think I found the next phone I want. It is the MPx200. It is a Windows Smartphone in a slick clamshell, capable of also acting as a modem for my laptop through USB. This has some serious potential.

Things I like about this:

1. I would no longer have to carry around my Handspring Prism PDA (which is almost dead)
   
2. I get rid of my current PATHETIC phone that has almost no juice. (I have to charge it atleast once a day... even when I DON'T use it)
   
3. It integrates directly with my Outlook, Address book etc
   
4. It has a real browser, not just WAP. (well real being kinda a misnomer... its IE. Wonder if Firebird could be ported)
   
5. Can easily check email on the road through my phone. As I said earlier, it syncs well with Outlook... making it more interesting.
   
6. Always on IM. You can always find me if I am in range.
   
7. Can act as a modem so I can VPN to the office servers in a pinch, when 802.11 hotspots aren't available.
   

This I DON'T like about it:

1. No keyboard.... you gotta do the "keypad" typing.
   
2. Running older version of the OS, and I don't think I can upgrade it.
   
3. A bit bulky/thick
   
4. Not the fastest thing (from what I saw while in Seattle playing with the thing)
   
5. Always on IM. You can always find me if I am in range if I am signed in. (Oh wait, was this a positive or negative thing???)
   

There currently isn't any availability in Canada, but I seem to find a lot of people selling "unlock" codes to take care of that on Ebay. Apparently I can buy a locked phone and then get it uinlocked, but I am not sure how that works. Since its GSM, I just need to move my SIM card over and it should all work if its unlocked. Not entirely sure if thats true or not. Wish I knew. *sigh*

Of course, if I lived in the States I would snap this up. Especially since I can get the phone for free on Amazon.com if I get a plan with AT&T. Apparently Rogers AT&T in Canada has no affiliation with AT&T US, so I can't take advantage of that offer. Oh well.

So, if you happen to be looking in a cell store and see one of these things, check it out. You might be suprised how far cells have been coming lately.

Passive Surveillance with OnStar

Ok, well now that its in the news I can finally talk about this. Some people might remember about my talk a couple years ago on hijacking the original OnStar signal and be able to extract information about a motor vehicle, including complete vehicle diagnostics and the ability to unlock/disarm a vehicle. People freaked when I showed the data flowchart for the ignition kill routines. (Imagine driving on the highway and a hacker turning off you car. Not a pretty sight)

Most of this was fixed when GM launched the next version of it, which actually made SOME efforts to fix the lax security in the communication protocol. However, the one thing I didn't talk about much was the fact that deep within the OnStar system is a cell signal which OnStar can control... passively.

In other words, it is possible for OnStar to listen in on you covertly and without your knowledge at all... or a way to turn it off at will. Of course the FBI learned of this... and decided that this would make the best surveillance wiretap. And now that its out in public, I am informing you. Don't drive a car with OnStar if you are worried about being monitored by big brother.

Kinda makes me thankful I don't drive a GM.

Vulnerability Scanning with Nessus

Security focus has a good introductory article on using Nessus for scanning your hosts, if you don't yet already do this. (Which you should)

What was more interesting was that they pointed out that there is now a commercial version for Windows called Newt.

Will have to check that out.

Gene Spafford on Linux vs Microsoft Security

On one of the secure coding mailing lists that I am on Gene Spafford made an interesting and quite funny post in regards to Linux vs Microsoft security (although I must admit originally the thread was open vs closed source security which doesn't just cover Linux).. I just have to share it with you:

I see. If I ride in the Linux car, I know there are no seatbelts,
no brakes, and no crash-resistant gas tank. In the Microsoft car,
there might be brakes, there is sort of a seatbelt, and they are
investing tens of millions of dollars to improve the impact
resistance of the gas tank.

The designers of the Linux car are devoting time to adding tail fins,
a horn that plays the theme to Star Trek, and making the engine run
on left-over french-fry oil. The MS car designers include a team of
crack engineers devoted to making the car more secure.

Neither car is currently safe, but in the longer term under these
conditions, which one do you think will be safer in 5 years? Which
car should I choose to buy now if I need to buy a car? (and don't
have the time or training to be a mechanic, btw)

--spaf

Of course we have always heard these debates in OS flame wars, but for some reason the tail fin and french-fry oil made me chuckle.

Ken was smart enough to kill the thread before it got any more "heated", but alas... there is one serious and interesting point. Read spaf's last paragraph. I've been saying that for sometime now. That should be what Longhorn is about when it comes to security... if Microsoft does it right.

Time will tell on that bit.

Solaris 9 available free [for non-commercial use]

Sun has now released Solaris 9 for free download, allowing non-commercial use, on
either SPARC or x86 platforms. If you have a need for Solaris in your test lab, this might be a good choice for you. And its free to boot!

Lord of the Rings:Return of the King

OMG. Warren, Alan, Andrea and myself took the afternoon to go see it. I won't spoil it for you.... just go see it.

GO SEE IT NOW!

Reducing the attack surface of Windows

Today Michael posted an excellent entry with tonnes of good links on ways to reduce the attack surface of a Windows machine. As a quick summary, here is a list of readings on the subject:

• A great MSDN article entitled Fending Off Future Attacks by Reducing Attack Surface
  
• A great paper by Ernst & Young about using attack surface area and relative attack surface quotient to identify attackability
  
• A paper written by Michael, Jon Pincus and Jeannette Wing on Measuring Relative Attack Surfaces
  

Lots of good stuff.

Happy reading.

Checkpoint to acquire Zonelabs

What the heck is this, acquisition day? I go to meetings all day, come home late in the evening and find everyone is buying everyone else. *sigh*

If you haven't heard, apparently Checkpoint is buying Zonelabs for $205 Million. This is an interesting move. Checkpoint has been weak in the desktop arena, and this can signifcantly strengthen their offering... now extending to all endpoints in the network.

Good move Gil!

VMWare to be acquired!

OMG. Apparently EMC is buying VMWare for around $635 Million in cash. I hope they don't lose focus on the product. Its the best virtual emulator for doing kernel development testing on. Thank $DEITY for named pipes treated as virtual serial to use WinDbg +VMWare... its a GREAT combo that I use all the time.

OSX vs Windows Security

There has been a lot of debate about OSX vs Windows security, with the most recent being a strong article from PC Magazine criticizing OSX security. Today there was a great rebuttal by Richard Forno which you should check out.

I am never into finger pointing (and Richard has his own issues in his rebuttal... I could criticize, but I am not your average Windows user :) ), but this is getting to be an interesting thread. You should check it out.

Cultural differences between Unix and Windows programmers

Joel posted an excellent article entitled "Biculturalism", in which he discusses the cultural differences between Unix programmers and Windows programmers. Being that I come from both backgrounds, I can seriously relate to this, and appreciated the insight.

I found this quote interesting:

There are many details and subtleties, but for the most part it comes down to one thing: Unix culture values code which is useful to other programmers, while Windows culture values code which is useful to non-programmers.

You will need to read the article to see what thats about. :)

Developing Software in Visual Studio .NET with Non-Administrative Privileges

I know most of you have already read my really simple CodeProject article on Secure Coding Practices: Running with Least Privileges in Windows, but I came across a more focused article published on MSDN recently.

Lars Bergstrom wrote a good article entitled "Developing Software in Visual Studio .NET with Non-Administrative Privileges" which I think you should read. It covers off everything I discussed and goes further to assist beyond the code development cycle.

Happy reading!

Eau Claire: Finding potential security breaches in C

Today Brian Chess posted some interesting information about extended static checking to find common types of security vulnerablities in real C programs. The tool, called Eau Claire, looks for common types of security vulnerabilities such as buffer overflows, race conditions and format string vulnerabilities.

Although Brian admits it is not a program verifier, it looks like a pretty good tool to add as part of your QA process as it relates to static checking. I will have to look into this some more when I have some free time. I think that my verifier tools I already use do all this, but it never hurts to add more tests!

Bill Gates To Speak at RSA Conference

Wow, does Bill Gates have guts. Infoworld reports that Bill will be a keynote speaker at the next RSA conference in February.

I would really like to be there to see that. I would like to hear what he has to say. Pete Lindstrom said it best when he said:

Clearly, Microsoft is stepping up to the plate. It shows intestinal fortitude for Bill Gates to stand in front of an audience of academics and security experts and tell his story. But I'm more interested in the reaction of the crowd and whether they will be receptive than that he's giving the keynote.

Me too. Good luck Bill!

Microsoft Security Newsletter

It seems Microsoft published its first Security Newsletter today.

And you know what, its an online newsletter actually worth reading. (I can't believe I am saying that... I hate online newsletters that do nothing but self-promote themselves and have no useful information)

Happy reading.

DoS Web Service with a Single Packet

Just saw on Bugtraq that you can send a specially crafted SOAP packet that has a modified DTD in it to a Web Service and the XML parser will cause the CPU load to remain at 100% for as long as the process keeps running. Another effect is that memory (hundreds of megabytes) could not be freed, even after the CPU came down from the high load. In some cases, the parser returns an out of memory error after some time.

Nothing like a single packet to DoS your machine. *sigh*

There is a fix for it. Microsoft has released an update to the .NET Framework that fixes this. It is documented in KnowledgeBase article 826231, but this article isn't actually online yet.

ACL Security Management in C#

Ok, so I had a need today to do some serious access control work in C# and decided to google the early morning away trying to figure out how to work with security descriptors in C#. Not much luck. I get to a point that I decide I will need to use the system APIs that are available in C.

So I take the entire day and port all the SDDL, ACE and ACL stuff over from C into C#, marshalling all required functions to P/Invoke nice and pretty like.

I rip my hair out while I try to map the SECURITY_DESCRIPTOR struct correctly, and get it all working in about 8 hours. I am impressed with myself. Works great on checking DACL on a file. Then hell breaks loose. The world comes to a halt when for some reason I can't WRITE to the DACL. Ok, I spend more time googling to see if I can find the answer.

So what do I find after another hour of googling? That Renaud Paquay, a Microsoft employee that is active on gotdotnet.com has already fully ported all I want in the Microsoft.Win32.Security namespace. 10 minutes after downloading the source, not only is everything working, but I have access to even more features then my own port.

Arggggggggg!!! Gotta write today up as a learning experience with marshalling and P/Invoke, as it was a totally unproductive day otherwise. Then again... I do now have wicked access control in my latest app. On the fly DACL manipulation, oh ya baby.

So, if you are writing code in C# and need access to the Windows security APIs, check out Renaud's port.

Thanks Renaud!

Online version of Handbook of Applied Cryptography

I was recently responding to a comment on my blog about crypto and pointed out that the "Handbook of Applied Cryptography" covered the topic quite well. I just received two different emails from people asking me about the book, and how it rates against Bruce's Applied Cryptography. Well, I am a fan of Bruce's writing, so I am biased, and will refrain from commenting on the fact YOU SHOULD OWN BOTH BOOKS.

However, why don't you go read the online version of Handbook of Applied Cryptography and see for yourself?

Analyzing Your Applications with Windows Application Verifier

Today Michael posted an article on MSDN on using AppVerifier to analyze your Windows application. As a quick rundown on what it can do I will simply quote Michael's article:

AppVerifier watches your application when it is running and monitors its behavior by intercepting certain API calls. Sitting between your application and the operating system, it has the ability to verify an application's behavior by checking the parameters passed to API functions, injecting erroneous inputs to test the application's ability to recover from errors, logging changes to the registry and file system, and doing other API-level sanity checks.

That is so kewl. I am disappointed I didn't know this tool even existed. A note to Microsoft if you are listening.... please document these sort of tools more so we can use them! I would have added this to my QA process over a year ago, had I known.

Forensic Analysis of a Compromised Linux Harddisk

Spent some time tonight at the local University doing a presentation for the LUG about forensic investigation, and how to use common Linux tools available through Knoppix-STD to do an analysis of a compromised harddisk. I promised I would put the presentation online, so here it is.

The cavet is that as I look over the presentation, I notice much of it is useless if you were not there for the live demo. Seeing a listing of steps to take and tools to use isn't as good as actually seeing me use it to do an analysis right there in front of you. Recovering deleted data directly from the lost inodes and tracing the attack sequence is kinda hard unless you know HOW to use the tools. I'm sorry I didn't think about that sooner and screenshot it or something. Oh well... hopefully you will still get some use from it.

Don't forget, you can hone your skills by heading over to the Honeynet Project and taking a crack at their challenges. It is well worth the effort, and even kinda fun.

Password cracking using TeraFLOP and PetaByte Resources

Now here is an interesting paper on Teracrack. Basically they have examined the use of applying High-Performance Computing (HPC) resources such as parallel supercomputers to pre-compute and store crypt() based passwords that would be found using bruteforce cracking tools.

I love some of the findings:

Using the Blue Horizon supercomputer at the San Diego Supercomputer Center, we found that pre-computing the 207 Billion hashes for over 50 million passwords can be done in about 80 minutes. Further, this result shows that for about $10K anyone should be able to do the same in a few months time, using one uni-processor machine.

Now for all you beowulf cluster fans... here is another project for ya. :)

.NET Code Correctness with FxCop

Microsoft has released an interesting MSDN TV issue in which Michael Murray and Jeffrey Van Gogh from the CLR Team describe FxCop, the freely-available code analysis tool from Microsoft.

FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies for more than 200 defects in the following areas: naming conventions, library design, localization, security, and performance. FxCop includes both GUI and command line versions of the tool, as well as an SDK to create your own rules.

The FXCops team even has their own blog if you want to learn more. From the 12 minute video, it sounds like a pretty good tool. I will have to check it out when I have a few moments.

The fallability of Man: Misguided trust in Encryption

When Bruce Schneier published Applied Cryptography back in the middle of the 1990's (1995 or 1996 I believe) my world changed. There was a fundamental resource book I could turn to that properly documented cryptography and allowed me to take advantage of encryption to store my secrets programatically. You know the ones, how to best pour a Guinness, and how to take over the world. Some even said it was the book the NSA didn't want published. Bruce was even quoted to have said that "It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.".

In 2000, Bruce stunned the world in the preface of Secret & Lies, when he stated that the new book was partially written to correct a mistake he made in Applied Cryptography... that he erroneously talked about cryptography as if it was "The Answer" without putting it into context. He even admitted he was naive about it.

The reality is he quickly fixed that mistake and throughout Secret & Lies touted that "Security is a process, and not a product".

What is funny today, now going into 2004, is that many people still don't get this. Worse yet is that people still think encryption will solve everything, and they put a misguided trust into encryption tools without really understanding how they work, or what they do.

Tie that with misguided fear many have towards Microsoft, this becomes a deadly combination. I saw that today while in discussion with another information security professional who has a really misguided level of trust in his understanding of his tools and not enough experience with the tools available to him. I was so frustrated with this arrogant attitude towards his solution that I just had to call him on it. Soon after, he realized his mistake... and we left the conversation both having to document the experience. Although his documentation now has to deal with the audit he just finished... since he wrongly assumed some particular data was securely protected... when it may not be. I on the other hand... decided to blog about it. :)

Lets reflect back on how this all started with a little bit of history to set the stage. I was called into a situation where a particular client has a need to surrender a few mobile desktops to another division of the company for a period of time, and that the division cannot have access to the information that has been stored on the machines, and that these machines cannot currently be reinstalled. (There is actually a reason for this, but I can't disclose why.) The solution was that the users routinely PGP encrypted the data on disk, and all they would have to do is move the data off and delete it from the machine.

First off, simply deleting the information in question is not enough. There are plenty of tools that can scrape a harddisk and recover files. And he knew this as this was already disclosed in his report. Those findings didn't both me. He felt the risk was low because it was encrypted data, and that would make it virtually impossible to recover, even if they could get the ciphertext.

I then asked him why he didn't use XP's Windows encrypted file system. His response was that he didn't trust Microsoft, and felt the users followed the security policy and correctly PGP encrypted their information. (Lets assume for argument sake this was the case, and the weakest link was NOT the human factor) This is when I had to say something.

Now I must say I like PGP and I mean no disrespect to it or its use. But even though it provides strong encryption, it is useless if you can recover the plaintext from the information on disk. And this was the problem exposed in this particular situation. There was still a risk of information disclosure.

Why? Because the file system was NOT encrypted, the files were at one point plaintext on the disk. Somewhere on some platter in the harddrive the documents may still be stored in clear text. And it might be recoverable. Simply PGP encrypting it is not enough. Especially when there could easily be backup cache files from office related documents that were not wiped correctly.

Using EFS would have been a better solution. (Although it was to late at this point) The plaintext would never have ever touched the harddrive, which would mean it was truly unrecoverable (Well, except for the most determined attacker... but thats another story). And if he had MISTRUST in Microsoft he could have found another encrypted file system to use from a third party vendor.

Moral of the story? I dunno.. you make one up. Trust, but verify? Know what your tools do? Use a proper disk wiping tool? I'll let you build your own conclusions.