April 29, 2004
Extrusion: Insider theft of digital assets -- best (and not so best) practices
ComputerWorld has an interesting article discussing the unauthorized transfer of a company's essential digital assets... commonly called extrusion.
Extrusion has a strange nature that stems from unexpected actions by trusted insiders in an environment assumed to be secure. For this reason, extrusion prevention requires both management and technology controls. This article reviews current best practices in four business control activities: human resources, the internal audit, physical security and information security. The author highlights disconnects in each activity and then recommends corrective action at the end of the article.
With the threats from within being the major focus these days, this article rings true to many a CSO. Have a read and judge for yourself.
April 28, 2004
Understanding IPSec on Windows Server 2003
Microsoft has released a document discussing their implementation of the Internet Engineering Task Forceís Internet Protocol security (IPSec). IPSec provides network managers with a key line of defense in protecting their networks.
IPSec exists below the Transport layer, so its security services are transparently inherited by applications. IPSec provides the protections of data integrity, data origin authentication, data confidentiality, and replay protection without having to upgrade applications or train users.
If you want to learn more, consider checking it out.
April 26, 2004
Security Coding Issues
Nothing really new here, but if you are new to the subject its a great primer.
TCP RST Attack Revisited
With the fact there is now over 4 different sample exploit code segments in the wild, wonder how long it will be before some script kiddie starts trying to netsplit his favorite IRC server *sigh*
Book Review - Exploiting Software: How to Break Code
Unless you know the threats to which you are susceptible to, you will never be able to design secure systems. Technology changes, as do the attackers. Exploiting Software: How to Break Code has driven that home for me as it truly shows how in the vast knowledge I have on the subject I too am always able to learn more.
Gary and Greg did a great job in this book. It is well thought out and meticulous in the detail on showing just how to break code. If you design secure systems YOU MUST READ THIS BOOK. Hell, even if you donít you should read this book.
If you have been following previous blog entries you will know I have been raving about this book for some time. The reason I didnít post a review sooner is that I wanted to read the book twice to make sure I really understood some of the key components within the book in areas I wasn't the strongest in. And it was well worth the double take. I think I learned more the second time around when I more understood the concepts.
This book is not for the faint of heart. Although you can walk away with a lot at any level of programming knowledge, to really benefit from this book you have to have a strong understanding of assembler. Without it half the book will be useless to you as you wonít understand the concepts presented. Perhaps a quick sidebar to discuss many of the common assembler instructions could have been helpful in the book to someÖ or even just reading an asm primer beforehand would help. Luckily I enjoyed assembler in universityÖ it was one of the courses I got 100% in back in the day.
Which gets me to a point that I think other people will end up bringing up if they read the book. If you canít understand the assembler in the book, you wonít get how to actually exploit code. In other words, if you pick up this book assuming you will walk away with a step-by-step guide with snippits of code to put together your own 'recipe' exploit you have another thing coming. Although there are some really good snippits ranging from payload insertion for overflows to rootkit mapping (and lots of other neat little tidbits in between) the reality is that this book shows you how to look for weaknesses and then attack them. I hold that to Greg's rootkit chapter which had some really detailed code on kernel injection techniques.
Which gets me to one of my favorite parts of the book. As someone who writes kernel code in Windows I REALLY enjoyed the section on patching the Windows kernel to remove all security. It was interesting to see how a couple of bytes could bypass the entire security manager in Windows, and focusing on SeAccessCheck was brilliant! However, I think this section was also a detriment to the authors. The book seemed quite professional right up until this point. We all know the weaknesses in the Windows environment and we all have concern about it. But the 'personalized' negative attitude and berating of Windows and even the US Navy had no place in this book. I'm not here to stick up and defend Microsoft on the subject, but I expected more professionalism from the authors as it relates to computer security here... they should have taken the high road on the subject. I can just as easily show how a rogue Linux kernel module can wreak havoc on a system just as the code presented here can. But its futile to spew forth useless drivel about it. Let's not muddy the waters and focus on the real issue of exploiting code, and keep the personal tainting out of it. If I didn't know the author's work better this could very easily have damaged the credibility of the section, perhaps the entire book. So for others reading the book, just ignore the personal tainting and understand the methods involved. Yes, being able to do a bit flip to disable the entire security is bad. Better compartmentalization is good. :)
If you are in anyway involved in red-team testing and want to know how to approach a target this book provides crucial knowledge and even some good insight on using tools like IDA to assist you. And if you are a developer this book will help you think more defensively about your approach to code.
What could I see done better? Well, it was nice to see how to BREAK code, but I would like that put into perspective on how to fix it. Although this book is said to be a great companion on Garyís book on Building Secure Software I think more should have been presented to map the two topics better. As an example there was one case where discussion ensued about fault injection techniques with very little discussion on defending this with user input validation testing. Mapping those concepts better could go a long way to more educate developers. Of course, that wasnít the intent of the book, and this is just my opinion. I am always for educating the developers about secure programming every chance we can get!
Overall, a great book. And one I recommend to the serious computer security software developers out there.
4 out of 5 stars.
Coder to Developer: Tools and Strategies for Delivering Your Software
Eric had an interesting book review on Coder to Developer that I found interesting. Looking through the table of contents this looks like a good book, although its relevance may quickly be outdated since its so tied to technology of today. Still looks like it might be worth reading.
I just finished reading Exploiting Software : How to Break Code this weekend (review to be posted shortly) and should be receiving The Product Marketing Handbook for Software in the next couple of days. Once I absorb that one I think Coder to Developer might be my next read.
April 22, 2004
Security in Longhorn: Focus on Least Privilege
Microsoft has released an interesting article on a least privileged environment that is going to significantly increase the security of the "Longhorn" Windows platform. Get started today by writing managed code, first of all, and when building desktop applications, make them LUA (Limited Unit Application programming interface) compliant are steps Microsoft recommends for the platform.
Longhorn promises to be a great platform for least privileged applications. Read the article and learn how to get started today by writing managed code. When building desktop applications, you can make them LUA compliant and then use the Windows Application Verifier to help check your work. If you care about the future of security on Longhorn, this is a good introductory article.
April 21, 2004
New TCP Flaw Found - Reset Attacks around the corner?
Well, I wondered when this would surface. I heard about a presentation a couple of weeks ago that was going on at CanSecWest 2004 this week in which Paul Watson was going to discuss TCP Reset Attacks. The grapevine spoke of an interesting paper... but I never got a copy of it.
It appears that the UK National Infrastructure Security Co-Ordination Centre (NISCC) got an early copy of his paper yesterday and has issued an alert discussing various scenarios... including Paul's discover of the practicability of the RST attack.
Basically the attack pattern is resetting an established TCP connection by sending suitable TCP packets with the RST (Reset) or SYN (Synchronise) flags set. The packets need to have source and destination IP addresses that match the established connection as well as the same source and destination TCP ports. Of course all this is easy to spoof... and quite easy to do with Perl and Net::RawIP. (And people commented on my entry about the practicality of Perl *pffft*)
You can read the details in the NISCC alert, which provides some information on mitigation techniques, including an interesting idea of resizing TCP window to deflect the attack.
Now just to get a copy of the paper and read Paul's research about the attack. Maybe I can get a copy from Joost since I know he was attending the conference. Joost? Otherwise, if you are in town attending the conference let me know and we can hook up for beers... and look at the paper more closely.
April 20, 2004
Practical PERL for the Information Security Professional
I found an interesting paper published by SANS that introduces Perl as a useful, flexible, and extensible tool for the security practitioner. The paper includes examples of Perl's ability to process log files, grab banners of network services, craft network packets and to exploit code that writes to unchecked buffers.
If you aren't using Perl for such tasks you really should look into it. Its a powerful tool that you will find makes life considerably easier for ya. Especially when doing fault injection testing, test parsing with regex and quick and dirty network test scripts.
April 19, 2004
GOLF CANUCKS GOLF
My Vancouver Canucks are out of the playoffs. And rightfully so... the Calgary Flames played with more heart in tonights game than Vancouver ever did. Didn't help that Jovo turned over the puck 3 times for scoring chances, and pulls stupid penalties that had him in the box during overtime. (Although the last few seconds tie up goal had me and Alan jumping all around screaming at the top of our lungs!)
Maybe next year. *sigh* Now I guess I gotta cheer for Ottawa. Canada needs ths cup back. :(
Security Checks at Runtime and Compile Time
Microsoft has released an article on MSDN which demonstrates Visual C++ compiler and library features for helping developers increase the robustness and security of their applications.
Included in the article is information on using the following switches:
If you are using a lanugage that is not typesafe like C++ and are using a newer MS compiler you should really read about these options. Well actually, even if you aren't using C++ you will find the article interesting... you should read it anyways.
April 16, 2004
Product Marketing Handbook for Software
Joel pointed out an interesting book called The Product Marketing Handbook for Software which projects itself as the definitive guide to successful software marketing. It discusses the industryís special challenges and provides solutions specific to the task of marketing and selling software. From blogs through to E-mail and webinars, if you want to succeed in marketing and selling your software, I'm told you canít afford to be without it.
I have been thinking about ordering this. I originally was going to buy it on Chapters or Amazon with my special discount, but it looks like this is self-published. I took a few minutes and called the company, and had the pleasure of actually speaking with the author. He gave me a bit more comfort, and I have decided I will pickup this book this month and leave Purple Cow: Transform Your Business by Being Remarkable for reading next month.
I like alternating between technical and business/marketing books. It is not only refreshing... it allows me to gain more knowledge in both disciplines. It also keeps me away from becoming a zombie in front of my computer or the TV.
If you have read this book, please let me know. Would love to hear other people's review of it.
Security Enhancements for Remote Access at Microsoft
Microsoft has released a slide deck which includes a detailed discussion of how Microsoft IT significantly improved the security of its corporate network remote access solution using the latest generation of Microsoft products.
It's quite informative and reminded me of when I was in Robert's house and I was asking what the smart card reader was for. :)
April 15, 2004
Open Source vs. Closed Source Security
As part of their tour for their latest book "Exploiting Software: How to Break Code" (a great read.... something I highly recommend and will be reviewing shortly) Gary and Greg have a segment in the interview where they discuss why IT DOESN'T MATTER IF CODE IS OPEN OR CLOSED from a code audit perspective. So many OSS fans refuse to accept this, and until they understand how you can get the code from the binary... it will continue to be a futile debate. Perhaps they need to get their own copy of the book :)
Securitydocs.com: The Information security library for the infosec pro
SecurityDocs.com is a directory of information security articles, white papers, and other documents that information security professionals find useful.
The value of SecurityDocs is that it collects white paper meta data from other popular security sources. This allows InfoSec professionals to browse by category or search for papers based on the category, description, title, rating, and other information specific to that paper. Allowing viewers the ability to rate and comment on papers gives future readers a better expectation of the papers value.
SecurityDocs is completely free and does not require registration before accessing any of the features.
From what I have quickly browsed through, it looks like a pretty good resource!
Windows Server 2003 Deployment Kit: Designing and Deploying Directory and Security Services
Microsoft has released a book describing how to design, deploy, upgrade to, or restructure to a Windows Server 2003 Active Directory environment. This book also describes how to design and deploy Windows Server 2003 distributed security services for authentication, access control, and certificate use.
Here is a brief outline of the contents:
You can download the entire book here. Enjoy.
April 12, 2004
Forensic Analysis of a Live Linux System
I know I have had quite a few people interested in my presentation on doing a forensic analysis of a compromised Linux hard drive, and judging by the number of people that have asked for my presentation slide deck, there is a lot of interest in the subject.
SecurityFocus has recently published a pair of good articles on doing a forensic analysis of a LIVE Linux system. So where my presentations of grave robbing a dead drive goes down one path, these articles go down the other and allow you more in depth analysis of the running host. (Although I must admit, in practice, I am not one to allow a compromised system to stay up and running once its been determined to be breached.. I would rather mirror the system and then test it in an isolated environment... VMWare is your friend!)
Anyways, well worth the read... you should check it out:
April 08, 2004
Improving Security Across the Software Development Lifecycle
On the heels of Gary's take on Processes to Produce Secure Software, the National Cyber Security Partnership (NCSP) Task Force has drafted some secure code guidelines. The preliminary recommendations provide the first in-depth look at improving security across the software development lifecycle.
The NCSP Task Force report makes four key recommendations:
TCPA: The Mother(board) of all Big Brothers
Back in November I had a post about NGSCB and BIOS vendors in response to some paranoia Alan had and never got around to pointing out some of the benefits and drawbacks to trustworthy computing. I have been following the field of trusted computing for some time, especially how it relates to NGSCB in Longhorn and sometimes think more people need to know about it.
Recently I came across an old presentation done at Defcon X by Lucky Green on "Trusted Computing Platform Alliance: The Mother(board) of all Big Brothers". I even found the original slide deck which paints an interesting picture on the subject.
With information ranging from the Fritz chip (the Trusted Platform Module(TPM) that is being included in future motherboards) to the TCP boot process, there are some really good tidbits if you were new to the subject.
It even goes on to discuss the Fritz Hollings Bill (S. 2048) and issues with the GPL that HP has in developing a TCPA-compliant version of Linux. And as usual if the GPL is used in an article which relates to anything remotely dealing with Microsoft Stallman has to have his say... "Treacherous computing is a major threat to our freedom".
April 06, 2004
Test-Driven Development in Microsoft .Net
Been looking a lot into test driven development lately, especially the idea of integrating NUnit into our development process. There seems to be a great book on it entitled Test-Driven Development in Microsoft .Net which I will have to get once I finish reading Gary's book on Exploiting software: How to break code.
Before I get to trying some stuff with NUnit I really need to get our build system redone. Recently I saw an interesting post from Scott Hanselman about his integration of Nant, NUnit and CruiseControl. This is something I have been wrestling with for some time.
I have yet to find a good build system for my stuff. Right now I have a pretty frail set of perl scripts that does the following:
Right now I am trying to see if there is any way I could hack together a solution to somehow do DDK builds executed from Nant. Not even sure thats possible, but its worth investigating.
Anyone else out there dealing with this challenge? How the heck can you get DDK code and .NET code to build in the same environment.
The next couple of days I think I might at the very least see if I can merge all the .NET stuff into a single Nant build script. I will need to figure some way of dropping DotNetfuscator and finding a cmdline obfuscator which doesn't require visual studio to be running. Will let you know how it goes.
April 05, 2004
MSDN Webcast Review: Top 10 Ways to Secure your Desktop App in .NET
Going into this webcast today I didn't know what to expect. It was rated as a technical presentation, and I was interested in seeing how much I could apply to my winform apps. I have found a lot of Microsoft's webcasts on .NET security focus so much on web services they completely forget some people actually are trying to replace MFC applications with .NET Winforms.
With very little expectations going into this thing, I couldn't really be disappointed. This presentation was pretty good, although I must admit my mind wandered off a few times. Don't know why. He wasn't boring. But he wasn't all that exciting either.
I did like the discussion on declarative security and showing how to use principle permissions within code. I do that now by using the WindowsPrinciple roles to determine access restrictions directly within the form, but it was neat to see how he applied it directly to functions with things like <PrinciplePermission(Security.Demand...>
In the next few days the presentation will be online on-demand here, which will let you check it out for yourself. In the meantime, I kept a copy of the power point slides of the presentation, which you can get here.
Hmmm, I am starting to amass a little library of MSDN security webcasts. If you want to get the sliddecks of some of the other presentations I attended, hit the search box on the bottom right and type in "MSDN Webcast Review".
Building Security In: Misuse and Abuse Cases
Gary gave a heads up on the SC-L that an advanced copy of his second installment about Building Security In is complete. The article, entitled "Abuse and Misuse: Getting Past the Positive" is copyright (c) by the IEEE and will be published in Volume 2, Number 3 (May/June) of the IEEE Security & Privacy magazine.
This series of articles is good to see in an IEEE publication. And from what I have seen from this advanced copy of the article, I can't wait for future installments. Oh yes I can... I am only halfway done Gary's other book.
Lies, Damn Lies, and Statistics
If you recall my posting last week, I talked about Bill Gates' email revisiting Microsoft's ongoing security initiatives. Near the end I pointed out some of the stats that Bill used to show the significant reduction in serious security related vulnerabilities of Windows Server 2003 in the first 320 days compared to the same time period for Windows 2000.
Well according to an article at vnunet.com Joe Wilcox, an analyst with Jupiter Research, commented that Gates "must have a different way of counting", and refutes Bill's stats. Suprise suprise.
Wilcox said he counted 15 security alerts for Windows Server 2003 since the product shipped in April 2003, which rose to more than 20 when products integrated into Windows, such as Internet Explorer Server 2003, were taken into consideration.
"I figure where there is one counting disagreement, there might be another. So I went back and counted up those Windows 2000 Server security alerts. I came up with 28 during the same span of time I got 15 for Windows Server 2003. Windows 2000 Server reached 15 alerts seven months after launch," he said.
Something else I found interesting was that he added that an upcoming Jupiter Research report on Microsoft security reveals that a mere 36 per cent of IT managers from businesses with revenue of $50m or more feel that Microsoft product security has improved.
So... what have we learned here? 82% of stats cannot be trusted. But don't quote me on that. I made it up. :)
April 02, 2004
FxCop 1.3 Is out.. and it rox!
OK. Kudos to the FxCop team.
First off, I need to thank them for sending me this kewl t-shirt. Nice little Microsoft logoware with an FxCops twist. I appreciate it. Thanks Mike!
Secondly... I installed the latest build(1.30) today and see that they fixed the biggest issue I had! It no longer locks my assemblies. So I now have FxCop running along side of Visual Studio! Next job is to figure some way to get it to execute on a post-build event so I can run it through FxCop after each major compile.
And who says Microsoft doesn't always listen?
Open Source Vulnerability Database Goes Live
Heard today that the Open Source Vulnerability Database (OSVDB) has gone live. Congratulations guys!
OSVDB is an independent and open source database created by and for the community. Their goal is to provide accurate, detailed, current, and unbiased technical information about vulnerabilities. Tools like snort and nessus are now incorporating the database directly into their products.
I really like the idea of OSVDB, but wish they could work more closely with CERT and the Common Vulnerabilites and Exposures (CVE) database. We don't need yet another database. We need a vendor neutral one that everyone is willing to follow and support.
They say the overall goals of the project are to promote greater, more open collaboration between companies and individuals, eliminate redundant works, and reduce expenses inherent with the development and maintenance of in-house vulnerability databases. I think time will tell if they are actually going to meet these goals in relation to the already available systems out there.
A lot of people don't always agree with the way CVE runs, but it works. And has worked for some time. And it is already integrated into tools like nessus. Why do we need another one? Lets focus on making one GREAT.
Anyways, I mean no disrespect to the group over at OSVDB. As I said, I like the idea... just wish energies could be focused on one database we can all tap into. OSS or not.
Code Secure: Michael Howard talks about security changes in VS2005
MSDN recently published an article Michael wrote giving an overview of the security changes happening in the Visual Studio 2005 C runtime and C++ standard template libraries.
It is interesting to see some of the cleanup that is occuring in the libraries, especially CRT. Of course, this basically misses me. On one end I write in raw C inside the Windows kernel at ring0, and C# on the use mode ring 3 level. But alas, some really good insight to the moves Microsoft is making in the core C runtime library.
Computer Forensics, Cybercrime and Steganography Resources
This morning I opened up my mailbox to find an email from Jacco Tunnissen over at honeypots.net letting me know that my Linux harddrive forensic analysis presentation (slide deck here) is now being linked on the Computer Forensics, Cybercrime and Steganography Resources page.
One of these days I will have to update that to include a bit more of the actual demo, since its the demo that actually shows how to do the analysis. Once you actually SEE a MAC timeline created live and then do a block my block analysis things start to make a bit more sense.
Anyways, I checked out the page and there are some really good links in there. If you are into computer forensics I highly recommend you check some of them out at www.forensics.nl.
April 01, 2004
MSDN Webcast: Dave's Top Ten Ways To Secure Your Desktop App
Next Monday from 9am to 10:30 (PST) there is going to be a security webcast on MSDN that relates to how you can secure a desktop application using the architecture in .NET. In this webcast, you will see some practical best practices for securing your .NET desktop application.
The following topics will be covered:
If you can't make it don't fret! They will have it available later for download. Of course, I will summarize the experience when I am done if you just want the highlights!
Processes to Produce Secure Software
Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report that he co-authored with Mike and a few others on the process of producing secure software.
The principal recommendations in this report are in three categories: