Least Privileges + Games = Microsoft Achilles Heel?

Ok. So if you are a regular reader of my blog you know I have went off on a few tangents about least privilege in the past. Let's see, what are a few of the topics I have talked about:

• Developing with Least Privilege
  
• Complaints on the lack of intelligence for runas
  
• Found a HUGE hole in credential management for runas
  
• Gave out some kewl XP registry hacks to limit application access in a SIMPLE way (read: can be defeated)
  
• Discussed how to spawn external processes securely in Windows, limiting access to a user's security context with CreateProcessAsUser()
  
• Discussed how to programatically use restricted tokens to execute a Process
  
• Discussed Least Privilege as one of my 8 Rules of Information Security
  
• Explained why I believe Longhorn has the wrong stance when it comes to user security, and should be adopting a least privilege stance for ALL users
  
• Discussed problems I found with least privilege in XPSP2
  
• And most recently talked about the fact Microsoft isn't setting a very good example when it comes to least privilege by running as Administrators when they shouldn't.
  

Today I want to discuss something that is more practical when it comes to issues with least privilege, and things Microsoft is going to need to do about it.

If anyone reads my blog from the division that publishes Microsoft games, listen up!

I want to discuss least privilege, and games.

For least privilege to be taken seriously, and be used correctly, it has to work everywhere, all the time. It has to be easy for the user to use, adopt and run without affecting their computing experience. If you make it to hard, they simply won't do it.

This is EXTREMELY paramount for kids. You know.. the little people in your house that know more about computers than you, and can kill more terrorists than the US Army Rangers because of the sheer amount of online training with CounterStrike and all the other fun games out there.

Well, if you can't make their gaming experience work with least privilege, little Johnny will never accept the computer the way it is... and you got a problem.

What am I talking about? Well today I stumbled across a knowledge base article on Microsoft's site which discusses how a problem in the CD verification routines prevent some games from functioning on XP. Especially when fast user switching is involved.

Ok, so the immediate reaction is "this is a software issue with the CD verification software". Yep. But its more than that. This isn't Joe Smith's personal Q-Bert game we are talking about here. These are Microsoft's published games. Here is the list provided in the knowledge base article:

• Microsoft Age of Mythology
  
• Microsoft Age of Mythology: The Titans
  
• Microsoft Age of Empires II: The Age of Kings 2.0
  
• Microsoft Age of Empires II Expansion: The Conquerors
  
• Microsoft Age of Empires II Gold Edition
  
• Microsoft Baseball 2001
  
• Microsoft Casino
  
• Microsoft Classic Board Games
  
• Microsoft Combat Flight Simulator 2: WWII Pacific Theater 1.0
  
• Microsoft Combat Flight Simulator 3: Battle for Europe
  
• Microsoft Crimson Skies
  
• Microsoft Dungeon Siege 1.0
  
• Microsoft Flight Simulator 2004 – Century of Flight
  
• Microsoft Flight Simulator 2002
  
• Microsoft Flight Simulator 2002 Professional Edition
  
• Microsoft Flight Simulator 2000
  
• Microsoft Flight Simulator 2000 Professional Edition
  
• Microsoft Freelancer
  
• Microsoft Golf 2001 Edition
  
• Microsoft Halo: Combat Evolved
  
• Microsoft Impossible Creatures
  
• Microsoft Links LS 2000
  
• Microsoft Links 2001
  
• Microsoft MechCommander 2.0 1.0
  
• Microsoft MechWarrior 4: Vengeance
  
• Microsoft MechWarrior 4: Mercenaries
  
• Microsoft Metal Gear Solid
  
• Microsoft Midtown Madness 1.0
  
• Microsoft Midtown Madness 2 2.0
  
• Microsoft Motocross Madness 2 2.0
  
• Microsoft NBA Inside Drive 2000 1.0
  
• Microsoft NFL Fever 2000 1.0
  
• Microsoft Pandora's Box 1.0
  
• Microsoft Rise of Nations
  
• Microsoft StarLancer 1.0
  
• Microsoft Train Simulator 1.0
  
• Microsoft Zoo Tycoon
  
• Microsoft Zoo Tycoon: Complete Collection
  
• Microsoft Zoo Tycoon: Dinosaur Digs Expansion Pack
  
• Microsoft Zoo Tycoon: Marine Mania Expansion Pack

So why do you care? Because one of the recommended solutions is to log on as Administrator to play the game! COME ON PEOPLE... NEVER RECOMMEND TO RUN USER MODE APPS AS ADMINISTRATOR!

Thats like telling Linux geeks to run Quake as root. Please, please do. I need another rooted box.

Let me give you an example of WHY this is a bad idea, based on a recent experience I had.

I am a big fan of the game Wolfenstein: Enemy Territory. I don't have a lot of time to play games, but when I do, ET is at the top of my list. Recently I joined a server which wasn't playing very nice. I have the ability to download maps turned on. On this particular server instead of it playing nice and downloading the maps I needed, it somehow forced the game to ShellExecute a http request, shutting down the game and tried to lauch the default web browser. HELLO? See anything wrong here?

Lucky for me my intrusion prevention system I wrote kicked in, noticed that a game was trying to call a web browser and promptly stopped the action from occuring. But what MIGHT have happened if I didn't have my IPS running? If I would have had a vulnerable IE browser (I don't run IE so even without the IPS this attack would have failed since FireFox is my default browser), they could have kicked off an attack sequence by directly forcing me to the malicious URL. Now imagine if I was also an Administrator when this occured. Uh oh. Big time problems.

So please listen up. Telling someone to run ANYTHING that is NOT REQUIRED to have admin access should be shunned. Stop it. Don't do it. If you believe that you HAVE to be an administrator, rethink the game and try to find ways to isolate only those specific functions that require elevated privileges.

Now, I am not a game developer, and I could understand that low level hardware access typically requires higher privileges. But I was always under the impression that this was what DirectX was for. To expose low level access to user mode in a safe way. But other than the hardware control, I can't even fathem why you would need admin privileges to play a game.

To be fair, some of these games were written before the big security push at Microsoft. And many of them are games Microsoft bought from outside the company. But if you are going to talk the talk as it comes to least privilege, all your apps need to take this into account in the future Microsoft. And that includes game.

Actually, I would consider games to be one of the areas you need to be MOST concerned about. CSO/CIO in major corporations will have layered defenses to help protect against vulnerable and exploitable software. Little Johnny's computer probably won't. And all we need is another couple of thousand zombies thanks to a weakness like this in the next version of Microsoft's <insert game of the week here >

Passwords vs. Passphrases

Today I read an interesting post by Robert Hensing (incident response specialist for Microsoft) about the fact that you shouldn't use passwords of any kind on your Windows networks. Ok, now before you foam at the mouth and think he's nuts, take some time to read the post. Its rather interesting.

What Robert is getting at is that in this day and age, with the number of different techniques that exist passwords (especially through pre-computed hashes) are easy to break. His solution, use long passPHRASES that are more difficult to break through attack vectors such as LC. OK, I'll buy that for a dollar. Mostly because thats all that its worth.

Robert makes a good point that if you have a longer "passphrase", its is extremely difficult for pre-computed hashed to crack per character. What he fails to really point out is that password entropy doesn't simply get better by using length, UNLESS IT IS RANDOM! Shifting to longer passphrases is good, but only to the extend of the random nature of characters used.

Why do I say that? Because tools already exist in the underground that now include precomputed H4CK3R 1337 5P34K, and normalized words that are part of the english language. The weakest link is the human factor here. A passphrase of:

Bob's your uncle! Is Alice in wonderland? The answer is 42.

...is great on length, uses a combination of of upper and lower case letters, digits and even special punctuation characters. It is extremely easy for me to remember, I won't even need to write it down. Yet you know what? It is weaker than a password I can make up that is just as easy to remember, but is way shorter. Let me explain.

As Robert points out in his post, brute force attacks using pre-computed hashes on longer passphrases is nearly impossible due to the sheer hardware requirements needed to store all the pre-computed results. Ram and diskspace limitations make this much more difficult. However, by using passPHRASES you break down the password into distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage.

Now to be fair, a passphrase with 14 distinct components is still amazingly strong, and difficult to crack. However, it also becomes too easy to break down in password management for the user. Why? Well for starters:

• The longer the passphrase, the easier it is to mistype
  
• The easier it is to type out (assuming you are a good typer) the more lax your thought processing will be when entering passwords.
  
• The longer the passphrase, the more tiresome it may be for the user to input, in which case they will settle with "b0bsuncle" later when they get tired of typing it the longer and much safer password
  
• Even if you could make this all random, easy to enter and protected against user input errors, a passPHRASE of this length is insane. Its like using a 8192 bit PGP key. Its effective strength is great, but insanely impractical for decryption purposes. In security its about "what is enough security", not "what is the ultimate security".
  

Let me show you a just as effective way of making a strong password/passphrase that will defeat most cracking attack vectors, is easy to remember, and is prone to LESS input errors by humans, the people we are wanting to protect here.

Use the same passphrase technique as Robert suggested in your head, and simply type out the first letter, and any numbers and punctuation that come out of it.

For the passphrase:

Bob's your uncle! Is Alice in wonderland? The answer is 42.

You would get a password of:

Byu!IAiw?Tai42.

Now under the guise of a complex random password, you actually have (in this case):

• A strong 15 character password with a good effective bit strength. This meets the criteria of a "long enough" password (anything over 14 random upper and lower characters, which also include digits and punctuation will generate a 'good enough' password for most networks that will thwarte pre-compute and other brute force attacks)
  
• It is easy to remember, hard to guess.
  
• Requires thought as your brain processes each word individually as you type the first character. Studies have shown if you actually have to THINK about something as you type it, it is less prone to error
  

Robert brings up very interesting thoughts in his post. And you should seriously consider following them, with one change. Remember the user. As security professionals, its easy for us to use insane passwords for protection. We are supposed to know better. But Alice in accounting just isn't going to follow it. With my slight change to simply type out the first letter of each word, and any numbers and punctuation that come out of it, you have a much more PRACTICAL passphrase that is 'good enough' for most networks. With a bit of user education, this can become extremely effective.

Oh, and if on the next password rotation you don't feel like using the first letter of every word, change it up. Use the last letter. Or the second. Just remember if you make it to difficult, you will forget it, making it no better than 'g0d' or 'P4$5w0rd!'. Especially since you are going to have to call IT services to reset your password anyways.

Unit Testing for WinForms

Now this is interesting. I just saw a post today about NUnitForms, an extension to NUnit for unit and acceptance testing of Windows Forms applications.

From the documentation, I really like the idea that NUnitForms provides a Recorder application that can record your interactions with a form and "write" a test for you that duplicates your actions. Thats right, it WRITES the test for you. This is a very interesting way to create unit tests for your UI.

I need to make some time to really take a look at this after our next release. It might be interesting to integrate into our testing framework. With all these little gems of late that I keep finding I think its getting close to time to hire someone dedicated to building a more formal test plan that includes NUnit and extensions like NUnitForms in the testing process.

Collaboration in a Secure Development Process

In the June issue of the Information Security Bulletin there is an article examining specific ways that the security and development teams can collaborate while software is being designed and developed as opposed to only patching software once it has been deployed. The article explores how software is extremely malleble in the design and development phase, once the architectural layers, tiers and distribution models are set and the application is deployed, then the cost and complexity of making changes rises dramatically.

My favorite part of the article is the clarity it gives in a table of the Software Development Activities and Artifacts. It clearly relates development processes and security-specific artifacts. Basically it looks something like this:

Phase Activity	Standard Software Development Process Artifact	Security-specific artifact
Analysis	Use Case	Misuse Case
	Functional and non-functional requirements
	Glossary
Design	Object modeling	Threat Modeling
	Design Patterns	Data Classification
		Security Integration Design
Coding	Unit Tests	Unit Hacks
	Code Development	Countermeasure and detection development
Deployment	Build and configuration	Security Baseline
	Operational processes	Response processes
		Integration to Overall Security Architecture
Table 1- Software Development Activities and Artifacts

Anyways, this was part one of a series on the topic. Will be interesting to read the next installment. If you are into secure programming, this article might be an interesting read to pass along to your dev team partners.

Windows Forensics and Incident Recovery

While checking out a comment on yesterday's post on Windows Forensics: Have I been Hacked? I came a cross a new book on the subject that hasn't been released yet, but looks like it might me an interesting read.

Harlan Carvey has written a book to be published next month called Windows Forensics and Incident Recovery which looks quite interesting for the forensic investigators out there. Here is a quick TOC:

• Chapter 1 - Introduction
  
• Chapter 2 - How Incidents Occur
  
• Chapter 3 - Data Hiding
  
• Chapter 4 - Incident Preparation
  
• Chapter 5 - Incident Response Tools
  
• Chapter 6 - Developing a Methodology
  
• Chapter 7 - Knowing What To Look For
  
• Chapter 8 - Using the Forensic Server Project
  
• Chapter 9 - Scanners and Sniffers
  
• Appendix A - Installing Perl on Windows
  
• Appendix B - Web Sites
  
• Appendix C - Answers to Chapter 9 Questions

As it hasn't been published yet, I haven't had a chance to read it to really scope it out, but if the TOC is any indication, it might be an interesting read. I am just finishing up Threat Modeling right now (review to follow shortly), and this comes at a good time. If you want to explore some of the topics, tools and techniques that will be covered in the book, Harlan has a website up at www.windows-ir.com which includes links to some of this stuff.

Maybe with any luck Harlan will be as generous as Ken was in sending me an advanced copy of Secure Coding: Principles and Practices or Gary, who while reading my comments, decided to send me an early copy of his book Exploiting Software:How to break Code.

Now that I think about it, I'm blessed with a lot of quality readers of my blog who seem to be great authors. If you are an author with a book on infosec or secure coding, and would like me to read and review your book, please contact me at dana@vulscan.com. One thing though... you HAVE to personally autograph it. I've started a collection of personally signed security books. Right now I got signed books from about a half dozen great authors. Want to join them? Send me a book!

Windows Forensics: Have I been Hacked?

The guys over at Bleeping Computer have written a tutorial that will show you how to determine if your Windows NT, XP, or 2000 box is hacked and how you can go about cleaning up the files they may have left behind.

The tutorial shows you how to detect most hacks, but there are other methods that will be much harder to detect and will require a greater degree of knowledge in detecting them. The author believes that most of the hacks that are done in mass, especially by the script kiddies, will be detectable through these methods.

Its a quite simplicitic approach, but does give a good overview of some of the tools that a forensic analysis of a Windows system should use:

• Fport - Lists all open ports (Think nstat like)
  
• TCPView - Similar to Fport, but graphical, and shows more info such as CLOSED connections (very important post analysis)
  
• Process Explorer - A great tool from Sysinternals which shows parent/child relationships with processes
  
• PSTools - A set of cmd line tools used to open and kill processes, control servives, change passwords etc
  
• Filealyzer - Windows explorer shell extension to your right click on a file
  

If you ever have to work on a Windows system for any sort of forensic analysis, you really need to learn these tools. This article is a good way to start.

DHS meet Sesame Street

OK, so you know that US threat level system that the Department of Homeland Security uses to tell its fellow Amercians about the level of terrorist threat in the country?

In an effort to make this more personably, especially to families, perhaps they should start using the Sesame Street Terrorist Level indicator.

Auditor security collection

If you read my blog much, you know I am a fan of Knoppix-STD. It's a great "Security Tools Distribution" using the Knoppix Live system as a base for the information security professional.

This morning I read about Auditor security collection, the self proclaimed "Swiss Army Knife" for security assessments. It is a Knoppix-based, unified platform focused on penetration tests.

From the list of included tools, it's pretty impressive. Of course most of this is already included in STD, but if you wanted to check out an alternative focused on pentest, this might be the CD for you.

One of these days someone is going to have to make one of these CDs work on Windows. Maybe not as a "Live" CD, but as a suite of tools that just work when plugged in.

If I only had the time. *sigh*

Kayaking in the Beauty of British Columbia

In case you don't know, this year I took up sea/touring kayaking in an effort to get outdoors more. I live within 20 minute of 3 lakes, and a major white water river where I believe some of Canada's best practice regularly.

Now, I am not into whitewater kayaking. Its an adrenaline rush to be sure, but I enjoy the paddling experience of a crystal clear lake with a bit of fog on the water at 8 in the morning. Nothing beats the calm solitude, where the birds chirp and the cool air tickles your entire being. Or kayaking in in the sea while watching Orcas swim past you. Nothing beats having your mind in a completely different universe than the Internet.

Well this weekend, much like Alan, I kinda over did it with two full days of kayaking. I put on SPF30 sunblock on my arms, but forgot I was wearing a sleeveless top, which means my shoulders are as red as a candy apple. There is so much heat still coming off of the burn its not even funny. Its difficult to lift the arms to type!

But the paddling was awesome. We actually got together with some of the kayak experts at Western Canoe and Kayak and practiced some neat rescues and even did some stand up kayaking. You haven't kayaked until you have rafted up with a buddy and have one of you stand up and paddle. Very interesting sensation.

Anyways, besides a very painful sunburn the weekend was great. If I would have known Alan was going to Hicks I might have headed that way. Small lake with no motor boats allowed, and is rather warm. Great place for a novice kayaker to go for a couple of hours. Oh well, maybe next time.

Office 2003/XP Add-in: Remove Hidden Data

If you have some time to blow one day, go onto google and do a search for some interesting files. During some competitive research I was doing one day I typed something like:

filetype:xls inurl:sales

It ended up giving me results for sale forecast information for various companies who have erroneously configured their servers. I refined the search with inurl, and was even able to pick up some interesting research in my industry.

Why do I tell you this? Well, although the powers of google made access to the document possible, it was a weakness in the document format that gave me the most competitive intel. Office documents routinely have extra information that the publisher may not have intended. You can see who worked on the document. With tracked changes you can even see what has changed over time. In my case, I was able to get a sale forecasting chart which included demograph details, with comments in particular cells of interest.

Scared? You should be. When you send an office document electronically, are you sure there is no extra information disclosure issues? Is proprietary information being leaked to competitors who take time to do this sort of research? This is one of the primary reasons our office policy is to only ship out PDF documents where possible. It removed such risks.

Well, Microsoft acknowledges this potential disclosure issue, and has come out with a solution. You can download the Office 2003/XP Add-in: Remove Hidden Data, which as the name implies, removes hidden data from office documents before you distribute them. You can do this in not only excel files, but word, powerpoint etc.

This is a great tool to have if you are distributing office documents outside of the office. Consider downloading and installing it today!

10 must do tips to make your Windows PC more secure

Computer Cops ran an article yesterday on '10 must do tips to make your Windows PC more secure '.

Here is the summary of that list of tips:

1. Update your anti-virus software once a week and run a complete test.
   
2. Install a firewall.
   
3. Update your operating system with the latest patches every 2 weeks.
   
4. Do not use Internet Explorer
   
5. Be very careful where you give personal information out.
   
6. Be very careful opening email attachments
   
7. Ignore virus warning emails
   
8. Use anti-spyware software
   
9. Do not forward emails that claim something will happen if you send it to a certain number of people
   
10. Backup up important files

Ok, Ok. It's a pretty dull list. We know all this. But if you could get your grandma to actually DO THIS... it would be a start :)

Frank Swiderski talks about his Threat Modeling Tool

Looks like Robert cornered Frank and video taped him talking about his Threat Modeling tool I reported about back in May.

The book he refers to in the video is actually CALLED Threat Modeling, which you can now order on Amazon. (Mine should be arriving any day now)

If you want to understand how and why you should use this tool, check out the Channel9 video!

SecureString in NET v1.1

Now this was an interesting find. I just read on Robert Hurlbut's .Net Blog an interesting post about how Hernan de Lahitte has put together a sample class that works in a similar way as SecureString for .Net 1.1.

If you recall, I blogged about SecureString in Whidbey back in May. I'm really looking forward to Whidbey because of things like this.

Looks like I don't have to wait... at least for this feature.

Don Park on Test Driven Development

Don Park has an interesting post on his first experiences of test driven development.

I have been exploring TDD for a while now, but haven't really gotten into it yet. I am moving towards it, with a final goal of have nant +nunit building everything. Got the nant part finally done, and just playing with nunit. Of course, if I can get my hands on Team System sooner rather than later, I won't need to worry about it ;-)

Anyways, Don's post shows that he is converting to TDD. He seems to be hooked, like a 'kid emmersed in a video game'. You have to read the post to figure out what I am talking about.

I think I might have to pick up Test-Driven Development: By Example. That is the third person I have heard who got something from this book.

Risk Analysis: Building Security In

Gary McGraw's third article in his IEEE Security & Privacy magazine series called "Building Security In" is on Risk Analysis in Software Design, and he has provided an advanced copy for the community to download.

Many of you already subscribe to S&P. If you don't yet, you should...check out http://www.computer.org/security/.

NIST releases Electronic Authentication Guideline

Now this was an interesting find.

NIST has released a set of recommendations in Special Publication 800-63 providing technical guidance to Federal agencies implementing electronic authentication. The recommendation covers remote authentication of users over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, authentication protocols and related assertions.

I really liked how they detailed it here. Worth the read.