B.C Privacy Commissioner says the USA Patriot Act violates privacy laws

David Loukidelis, the Privacy Commissioner of the province of British Columbia (where I live), is recommending an immediate freeze on all outsourcing of public data to US-connected firms. CBC is carrying an article about this where they point out that B.C Privacy Commissioner says the USA Patriot Act violates provincial privacy laws, because it can order American companies to hand over information on British Columbians in secret.

You can get the report from Office of the Information and Privacy Commissioner (OIPC) in two documents:

1. The Summary Decision
   
2. Detailed Report

I am both proud and happy to see Canada taking a stance like this. I have always thought the Patriot Act was WAY to open, and the fact it could bleed into my own civil rights is bothersome. While I respect the need for the intelligence community in the USA (and Canada for that matter) to gather information, there are ways to go about it without infringing on other countries rights and freedoms. You cannot say you fight for freedom in the world and then scoff at the very rules that this freedom provides.

Good job David. My respect to you and your office in taking this stance.

SecurePoint sees backlash from hiring Sasser Author

You had to know this was coming. According to Heise Online (Babelfish translation required as its in German) H+BEDV has concerns with SecurePoint hiring the author of the Sasser worm; they have cut ties with the company for "the good of their customer". Although they sympathize with giving the author a second chance, the reality is they cannot do it at the risk of their customers. That was EXACTLY what I was saying before.

This is a bold move on the part of the antivirus company. You want to work with other security vendors when you can... however ethics, professionalism and the constant vigilance to protect their customers take precendence over a partnership. And that is what they SHOULD be doing; it was the right decision.

GMail wide open to exploit?

According to an article on Hack in the Box, a major security hole in Google's mail service (gmail) allows full access to user accounts, without the need of a password.

Apparently a flaw in the service's identity authentication mechanisms allows an advesary to get complete control of the mailbox through the use of a bit of cookie-hijacking fu. According to a follow up on InfoWorld, this vulnerability has now been fixed.

An investigation by Google found that only a handful of Gmail users were victimized. Goes to show you though... it doesn't take long for the exposure window for a vulnerability to be exploited these days.

SecurityJournal Online

joatBlog just pointed out that you can get The Security Journal online via PDF. I only scanned the lastest two editions, but they have some pretty good articles in there. Now is the time I need a tablet to take advantage of reading them ;-)

Good find joat. Happy reading!

The Security Risk Management Guide

I forgot to mention this last week, but was just reminded about it.

Microsoft has released a guide that helps customers of all types plan, build, and maintain a successful security risk management program. In a four phase process, the guide explains how to conduct each phase of a risk management program and how to build an ongoing process to measure and drive security risks to an acceptable level.

Although I haven't read it in detail yet, what I saw looked pretty good. I like seeing educational pieces like this; they are informative, to the point and pretty much vendor agnostic. (ie: Not MS rah rah, but real infosec guidance)

You will also find a lot of good reference links supporting their research. Always a good thing(tm).

Happy reading!

How A Criminal Might Infiltrate Your Network

Microsoft has published an interesting article showing the anatomy of a hack. The article is not intended to show you how to hack something, but rather to show how attackers can take advantage of your mistakes. They say that this will enable you to avoid the common pitfalls that criminal hackers exploit.

What was neat about this was that it was an article linked off the home page of microsoft.com. Good to see such educational pieces getting such exposure.

Another Security Hole fixed in PuTTY 0.56

PuTTY 0.56 fixes a serious security hole which can allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. It is recommended that everybody upgrade to 0.56 as soon as possible.

You can check out more info and download the latest by visiting their website.

SecureWorld Expo Day 2 Review

Well, I am back in Canada tonight, and have a bit of time to catch up on the rss feeds and update the blog. I thought I should summarize day 2 of the SecureWorld Expo show.

Here is a quick review:

• The early morning breakfast session with Kirk Bailey, CISO of the City of Seattle seemed to be pretty good. We showed up a bit late, and had to sit in the back... where the sound was really bad. Luckily I think he is coming up to the West Coast Security Forum and I will be able to hear him speak when he comes up.
  
• Crispin did a presentation on host based intrusion prevention for Linux systems through the use of LSM. Interesting stuff. His Subdomain product does similar stuff to my current Windows work in intrusion prevention, hold that to some deep inspection stuff that I am doing. I have heard him speak before, and this presentation wasn't as "fun" as when he talks passionately. His presentation on defending servers during DefCon at the Bellingham Linuxfest was much more interesting.
  
• I listened to an EXCELLENT presentation on "Next generation Approach to Risk Analysis" by Peter Stephenson. He presented an interesting topic on Forensic Analysis of Risks in Enterprise Systems (FARES). I could go on for hours about the topic as it was very enlightening as a qualitative risk assessment process. Instead I will point you to the very informative slide deck that was used during the presentation. One thing I liked was the way to use Coloured Petrinet to create interactive risk analysis models and actually test how an attack vector may be mitigates in a network environment without having to actually modify your environment. Makes simulations very nice.
  
• The most disappointing panel of the conference, IDS vs IPS was a big flop. There was NO constructive debate on the pros and cons of IDS vs IPS. It was again rah-rah [vendor name here] approach is the greatest. No one would give a straight answer to anything. From cost to implimentation techniques, it was all basically a deflection to come talk to them and explore needs. Beau summed it up pretty good as we walked out. No way in hell should anyone put a network IPS in place to STOP critical business network flow when so many false positives already overwhelm us in the IDS space. I add that no way in hell should we consider a single device accessable by the Internet to hold all our keys to our security; network IPS vendors saying you should store all your private keys for a certificate proxy should be shot. (That would be a good portion of the panalists)
  

Overall, it was a good show. I am chomping at the bit now though for the West Coast Security Forum. In a few blog entries later this week, I will discuss some of the interesting findings that I had while talking with vendors.

SecureWorld Day 1 Review

Well, the night is dying down and I got a few minutes to blog about the security conference in Seattle.

I won't go into to much detail as I am pretty tired (Beau Monday and I went out last night to try a bunch of different beers at "The TapHouse Bar and Grill"), and when I got back to the hotel I just couldn't sleep)

Here is a quick review of the day:

• Whit Diffie gave an excellent keynote providing a synopsis of the evolution of information security and its problems. I always enjoy listening to him talk
  
• The panels on patch management and vulnerability assessment were boring. When everyone agrees and is doing vendor plugs... you do nothing to have an intelligent conversation on the subjects
  
• Francis D'Addario, the VP Partner & Asset Protection for Starbucks gave an EXCELLENT lunch keynote on how Starbucks handles risk management. From terrorist threats (risk of smuggling WMD in coffee bean crates) to social responsibility, this was the first presentation in a long time where I can honestly say I heard a infosec pro thinking like a businessman first, and a technologist second. I can't put in words how much I enjoyed his fresh perspective.
  
• I have to remember some people only can think of you in an online context. I spend time regularly communicating with Crispan Cowan on mailing lists and email, but he couldn't remember me from the hole in the ground when I saw him on the trade floor. Kinda funny actually. He is speaking tomorrow and it should be pretty good.
  
• Not much new coming out of vendors. The exhibit hall has lots of neat products, but nothing with an ohhh-ahhhh factor.

After the conference Beau and I attended a party gala hosted by Network Computing Architects which was fun. Met up with some interesting people and made some good contacts for some future projects. Thanks to Tom (NCA CEO) for the hospitality and beer. :)

While thanks go out, I should also thank Beau for showing me the town, and taking me to the Geek Dinner Robert put together on short notice. Even with only a couple of hours of real notice, I would like to thank the 10 or so people that came out to say hi. I appreciate it. Was great fun.

Ended the evening spending some time checking out J.P Stuart's car, which is a Jeep Cherokee tricked out with Windows XP, GPS, bluetooth and wireless. Pretty neat layout. He put a lot of effort into this thing.

I have a few comments on some interesting two factor authentication I saw at the show, but I will discuss in its own post when I get back to the office.

For now I am gonna sign off and get some sleep before the 7:30 breakfast help by the ISSA. TTYL.

SecureWorld Expo

Next week I am heading down to SecureWorld Expo to attend a security conference in Seattle. Was talking with Robert about a geek dinner, and he suggested hooking up for dinner on Tuesday evening. Sounds good to me. I haven't seen him post any info on his blog on where he wants to host it, but I am guessing it will be in Bellvue again; thats near where my hotel is anyways.

So keep the evening open; let me know if you can make it. Who knows what will come of it. Last time I was down Jason Anderson took us back to Microsoft to give us an intimate demo of Team System, which I blogged about here. Robert even video taped it.

So, if you are interesting hanging around and geeking out... let me know. You can comment here or drop me a line at dana@vulscan.com. I am actually going to be in town on Monday night, so if you feel like doing something neat and exciting, let me know. I was contemplating checking out the contemporary jazz scene in Seattle; if you have any recommendations please let me know.

How to Securely Connect MS Access to a Remote SQL Server

Today I had an interesting conversation with a contract programmer that had me thinking a bit. I have used an interesting technique for a while now that most people don't know that makes data manipulate on a SQL server quite nice... and secure. For this conversation I am going to talk about bridging MS Access to connect to a mySQL database securely... over SSH.

The conversation started on a tangent when I made the comment I don't need to write a web front end to massage some data as I could Access. The obvious question from the programmer (and rightfully so) was 'umm... thats not really secure is it?'. I kind of brushed it off and said ya, but didn't explain myself very well. So I figure why not do that now with a useful blog entry on the subject. :)

Although more recent versions of most DBMS are now offering options for connecting over SSL, that hasn't always been the case. And in my case, I'd rather use SSH anyways... I have better control over it as its allowed through the firewall as normal SSH traffic.

So how do you do it? How do you get a Windows machine running MS Access to connect up to a Unix/Linux server running mySQL to access data? It's pretty simple actually.

1. Install putty, or any of your favorite SSH clients that support forwarding through the tunnel.
   
2. Install mySQL ODBC driver
   
3. Create the right permissions on the database that you wish to access.
   
   

   GRANT SELECT,INSERT,UPDATE ON yourdb.* TO 'bob'@'localhost' IDENTIFIED BY 'your_password';

   
   
4. Start Putty and create a new connect to the server using a local port forward through the tunnel and point it to localhost (ie: port=3306, destination=localhost:3306... see screenshot below)
   
   
   
   
5. Connect to the server with SSH
   
6. Start MS Access
   
7. Create new blank database. Call it something resembling the mySQL database so you can remember it.
   
8. Go to the File menu and select: File->Get External Data->Link Tables, and change the "Files of type" to ODBC Databases()
   
9. When the Select Data Source dialog pops up, select Machine Data Source and click the "New" button
   
10. Create a new System Data Source and click Next
    
11. Select the MySQL ODBC driver from the list and click Next, and then Finish
    
12. When the MySQL ODBC driver dialog pops up, enter in a unique datasource name, set the host to 'localhost' and the database name to the foreign database you set the GRANT perms to. Set the user to 'bob' (or whatever you set the username to) and enter the password.
    
13. Click the 'Test Data source' button. It should have worked.
    
14. Click Ok
    
15. When the Link Tables dialog pops up, select the Tables you want.
    
16. Click Ok
    
17. Query and manipulate the data as you like!
    

Now what happened? Well, what you did is set the Access database to connect to localhost... which was then forwarded across the SSH tunnel to the remote server, which then also made a localhost connection, which you allowed in the system.

Now here is a trick for some people that don't get this working first time. Depending on how you do name resolution, when setting the GRANT perms you may need to set the host as the fully qualified name as the system sees it. ie: hostname.domain

Thats it. Now you can securely use all the features in Access to massage the data on mySQL without the data being snooped on the wire.

My Search for an Obfuscator is Complete

Well, I am pleased to announce I finally have an obfuscator fully working in my automated build environment.

After an initial inquiry to my readers about suggestions for a good obfuscator, and then a wasted day trying to actually buy one, I finally purchased XenoCode... and now am able to do an end to end build with one command.

XenoCode surprised me. I originally didn't give it much thought as I didn't hear much about the product, and it was a LOT cheaper than the competitors. After doing a complete test, I can honestly say that it is a compelling offering, with the best cost to feature ratio in any of the products I have investigated. I am extremely happy that I didn't spend $1,500 on DotFuscator when I could pick up XenoCode for $199... with pretty much the same set of features I needed.

Customer support was awesome. Every email I sent over 3 days was responded (on average) within an hour with a complete and clear answer. They were the first company to do that with me; that made a big difference during testing and product analysis. Other companies like PreEmptive and Wise Owl failed miserably here.

Now XenoCode isn't perfect. I am not happy with the fact that its 'dead code elimination' functionality has no way to statistically log what code was removed, but I can live with that for now. Another concern was the fact I had to modify my automated build environment to take care of the fact that I need a secondary directory for the obfuscated output; I would have preferred that it overwrite the assemblies once obfuscated.

All in all I am satisfied with my purchasing decision. If you are looking for an obfuscator for .NET, consider checking out XenoCode. You might be pleasantly surprised.

Which File Extension Are You?

Which File Extension are You?

Small Business Server 2003 Demos

Today Microsoft released three small, yet interesting video demos on how to use Small Business Server 2003 effectively.

The three areas covered include:

1. Automatically protect and secure your critical business information with Volume Shadow Copy
   
2. Using Sharepoint to share files with your peers
   
3. Using Remote Web Workplace when away from the office

If you don't know about some of the neat features in SBS 2003, you should download this set of demos and check it out yourself.

MSDN Magazine Issue focused on Security

This month's MSDN Magazine is focused on security. If you haven't had a chance and don't have it mailed to you, you should go check it out online.

The contents focused on security are pretty interesting:

• Attack Surface: Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users
  
• App Lockdown: Defend Your Apps and Critical User Info with Defensive Coding Techniques
  
• Cryptography: Employ Strong Encryption in Your Apps with Our CryptoUtility Component
  
• Trustworthy Code: Exchange Data More Securely with XML Signatures and Encryption
  
• Safety in Windows: Manage Access to Windows Objects with ACLs and the .NET Framework
  
• Intrusion Prevention: Build Security Into Your Web Services with WSE 2.0 and ISA Server 2004
  

Good stuff. Happy reading!

IIS vs Apache Defects

Michael posted an interesting article comparing the defects of IIS6 against those of Apache 2.

The results? See for yourself:

Michael followed up with a second post, taking care of 4 major comments from people who saw the original post, which included:

1. Perhaps the security work you guys are doing is paying off?!
   
2. No way can this be true, you work for Microsoft, so how can you be unbiased?
   
3. What about Apache 1.3.x?
   
4. Does this include SSL?

The first comment makes sense. Since SD3+C has been pushed on campus, we are seeing a lot of positive changes in the attack surface and defect levels of newer product. Thats a good thing. (Go ahead Martha... sue me from jail)

The second comment is typical FUD deflection. Secunia is its own company, and not impacted or have research enforced by Microsoft. If anything, sometimes their reports are very critical of Microsoft... as they should be.

The third comment is interesting. People want to always compare apples to oranges, not giving a fair comparision. They do this at the OS level all the time. Lets compare the latest of both when doing such analysis. But in case thats not a good enough reason for you, you can look at the difference, comparing against Apache 1.3x:

The final comment was about SSL. I was suprised people would want to open this can of worms with all the recent OpenSSL issues. Michael pointed out some interesting stats on that as well. Quoting his view on this:

Microsoft issued a security update, MS04-011 (http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx) in Feb04 for Windows, which included a bug fix for Private Comms Technology (PCT). PCT was released just after SSL2 to fix a number of defects in the protocol, these were then fixed in SSL3. PCT also support strong crypto for finanical orgs and was enabled by default on all platforms except Windows Server 2003 and Windows XP SP2. So chances are very good if you’re running a new Windows Server 2003 box, you’re not vulnerable because the code path is not exposed by default. So it’s a low pri bug. That said, let’s call it three security bugs related to IIS6."

Now let’s look at Apache2, plus OpenSSL 0.9.x because mod_ssl uses OpenSSL:

Some interesting findings. As an Apache fan I don't like to admit it, but IIS6 has come a long way.

My TabletPC Shopping Experience in LA

Just got back from my trip to LA. Had a great time, learned a lot and had some interesting experiences. If you have never tried Shabu-Shabu, you REALLY need to give it a try in Little Tokyo in LA. Its great food. So was the AWESOME Brazilian BBQ. What an amazing experience.

Anyways, about my TabletPC shopping experience. I think I know WHY the TabletPC is doing so bad in the marketplace. Its because the people supposedly selling them have no clue what they are doing. And that is compounded with them NOT CARING.

First of, I went around to some of the largest computer stores in LA. In total I found 2 TabletPCs. And I couldn't play with EITHER of them, as the "pen" was stolen at one store, and lost in the other.

I went to a couple of Frys. Circuit City. Franklin Covey. Staples. Best Buy. You name it... I was there. These are just a few I can remember off the top of my head. And in all these stores... I found 2. And both were busted in some way, shape or form.

When in Best Buy I had an interesting experience which pretty much sums up what I have seen. First off, while talking to the manager of the computer sales department I heard an interesting comment from him. He HATES TabletPC. He calls them "boomerangs". I just had to ask him what the heck that means. His response? Every TabletPC he sold has come back returned. People bought it for the gee-wiz factor, took it home and then realized they paid way to much for functionality they don't use. (His words, not mine). Thats not a ringing endorsement for the product if you ask me. Every unit sold has been returned? Wow.

The other interesting thing that happened is while talking about this with the manager, a Microsoft TabletPC MVP approached and got involved in the conversation. Linda Epstein, the author of TabletPC2.com tried hard to defend the TabletPC and even offered to take me back to her place to try out some Tablets. By this time I had enough of driving around LA looking for TabletPCs, had to be at a dinner meeting in an hour and had to pass, which was unfortunate as I would have loved to atleast TRY one while I was down there.

What an exhausting experience. Drove around LA most of the day... saw two TabletPCs (both which were broken in some way)... neither with a tablet pen to try the darn thing. And to boot... these things were like $2500 US. Realizing that in the "real world" they were called BOOMERANGS by some sales managers, this doesn't bode well for the TabletPC industry. I thought it was odd that in Canada we can't find TabletPCs to try out. I find it just crazy that we couldn't find them in a large city like LA. Now I think I know why its not taking off. The bloody things aren't liked by the sales channels... and are not being pushed at all. What would it have cost to get a tether for the pen, and fix the broken keys on the thing? When you can't even try the product... how can you assume we will buy it?

In all, this is what I have learned from my experience looking for a TabletPC:

• There is no product in the sales channels to try
  
• There is no real marketing efforts in these channels for consumers
  
• The channel doesn't like selling them anyways
  
• The channel doesn't know HOW to sell them, or WANT to
  
• People who LOVE the TabletPC will tell you differently... and with passion
  
• People who LOVE the TabletPC will give you all the examples in the world about its success... but in reality you don't hear about the failures... which there seems to be more of
  
• These devices are still way to expensive; they are getting returned A LOT. Price sensitivity is a major factor to the consumers who initially bought it for the "gee-wiz" factor
  
• I still don't have one. And until I get to try one... REALLY try one... I am not going to even consider it.
  

The last statement is a major one for me. I believe the Tablet could be VERY useful for me in my business meetings. And when on the road and need to read. And code. And do drawings like flow charts and data flow diagrams in meetings. And write email. (I definitely need a convertable and not a Slate) However, I won't even consider trying to justify if its feasible since I can't even try the damn thing and see if it would meet my business needs.

At this point, unless a vendor sends me a sample unit to try for a couple of weeks, you pretty much lost my business. I simply will not play "boomerang" with you. It's a waste of my time and money.

Are Obfuscation Companies Dying???

Wow, what a weird day. If you recall, back in August I asked people about their thoughts on obfuscators. I was starting to think about buying one for my automated build environment, and was exploring my options.

Today I have spent some time going through the process of looking more closely at the obfuscators. I have tried out a few of them, and decided it was time to talk with sales people about buying, and discounts for small ISV like myself.

My original decision was to approach Demeanor for .NET, Enterprise edition from Wise Owl Software. It seems to have everything I need, is closer to my price range (still a bit high at $799... what ever happened to tools only costing around $500 *sigh*) and works well with nant. I sent an email a few weeks ago asking about discounts, and never heard back. Today I called them at the number listed on the web site, which was (760) 471-9833. Disconnected or no longer in service. Odd. Maybe it was a typo. Called the fax line at (760) 471-0905. Disconnected or no longer in service. Ok, guess the phone lines are gone. Tried calling their "Marketing and Public Relations" guy at (415) 292-7825. Disconnected or no longer in service. Ok thats enough. No emails returned. No phones in service. No one to service me. No purchase.

Next I turned to Dotfuscator Professional from PreEmptive Solutions. I am not to keen on their product simply because of price, but I am hoping they may have some sort of discount program for small ISV. Can't hurt to ask. I called their 800 number, which is not available to Canada. Note to PreEmptive... it only costs like an extra dollar a month for 800 service across ALL of North America. You will easily recoup that cost with 1 sale. ie: Mine.

With their sales line not available I thought I would call their general line at 216.732.5895. Automated voicemail, with no option to get to sales. So I pressed 0 for the operator. Which leads me BACK to the main menu. After doing this twice, I realized I wasn't going to talk to anyone... and hung up.

The result? I didn't talk to one sales person today. The money stayed in my wallet, but I still don't have an obfuscator that works in an automated manner. Gotta make me wonder if the business of "obfuscation tools" is dead. Is there a free tool out there I don't know about? Did Microsoft include better obfuscation in the next version of Visual Studio? Whats going on... no one want my money?

Running OSX on your PC

If you recall about two years ago I was chanting MARKLAR! MARKLAR! in an effort to have OSX running on my PC laptop. Apple had OSX running on an x86, but they were not releasing it to the public.

And that still hasn't happened. Although rumours abound about how Tiger and some apps are running fine... I still don't think Apple is going to come out with an x86 version for people to buy. If they did, I'd buy it. But as Susan routinely points out... I'm not a normal computer user either. *sigh*

So, what else can we do? Well you heard me talk about Pear PC already. How about a more commercial ready fruit?

Like maybe Cherry OS? Thats right, a commercial quality G4 emulator allowing you to run OSX completely on a PC. Looks kinda kewl. Not sure how well it performs... but rumour has it that its faster than VMWare is for x86 instructions. (Not sure how much I would believe that until I see it.. but thats the talk anyways)

Anyways, if you wanna run OSX on your PC, give CherryOS a look. Might give you that opportunity to try it out before you migrate over to a PowerPC.

Defend Your Apps and Critical User Info with Defensive Coding Techniques

MSDN has released an interesting article on "Defending Your Apps and Critical User Info with Defensive Coding Techniques".

The article discusses securing user credentials and logon information, how to protect client and server data using encryption and how to defend COM clients/servers. It covers a large gambit of information, including examples in C# and C++. It is not particularly long in length, but still a good read for the material presented.

Enjoy!

Secure programmer: Prevent race conditions

David Wheeler has released another great article in his secure programmer series on how to "Prevent race conditions".

In the article you will learn what a race condition is and why it can cause security problems. The article shows how to handle common race conditions on UNIX-like systems, including how to create lock files correctly, alternatives to lock files, how to handle the filesystem, and how to handle shared directories (and in particular how to correctly create temporary files in the /tmp directory). You'll also learn a bit about signal handling.

It's a great article. I love how he introduces the article with a real problem TripWire used to have in their product. A good way to illustrate how to properly remedy real world problems.

Happy reading!

Power of Blogging: Word of Mouth FINALLY gets my SORBS issue fixed

Well, there is proof yet again of the power of blogging. If you recall at the beginning of the month I complained that SORBS was erroneously blocking my company's IP address block, and constant attempts to communicate with SORBS from both myself and my ISP went unanswered. I was blacklisted from most of my colleagues, which makes it EXTREMELY difficult to communicate with anyone, including people I am working with at a few security and antivirus companies, and of course Microsoft. I was starting to lose business opportunities due to lack of communication, and I was thinking about moving to a different ISP before I lost any real business.

Well apparently my blog entry made its way around the "inner-circle" of those that matter at SORBS, getting posted to an internal mailing list of SORBS gods and someone had the bright idea that it might make sense to go and fix it. I appreciate that. So it looks like life is back to normal on the mail server front. I SHOULD be able to communicate again with everyone. If you emailed me and you think I didn't respond, you might want to resend your email.

Good lesson to be learned here though. It is amazing how a volunteer organization ran by one man can negatively affect business around the globe. I wonder who watches the watchers? If Matt and the crew at SORBS doesn't like someone, and decides to take their time in removing an IP address that 'accidentally' got blacklisted... there is NOTHING you can do about it. No relief. No recourse. No one to turn to. And this is for our CRITICAL communication infrastructure.

Now to be fair, for all I know this could have been an honest mistake and a rare occurance. The fact that it took OVER A MONTH though should show that it doesn't matter. In the face of failure there should be quick, clear and concise remedies for recovery. Someone made a mistake with my IP block. Fine. But waiting a month before fixing it was unacceptable. Imagine if I was Ebay, Amazon or some other heavy hitting online business. I'd probably go sue your ass for the lost profits. And then a great service would be in litigation and end up folding. That doesn't help anyone.

SANS releases updated Top 20 Vulnerabilities List

SANS has updated their list of top 20 vulnerabilities on the Internet. You might find some of their findings interesting:

Top Vulnerabilities to Windows Systems:

1. Web Servers & Services
   
2. Workstation Service
   
3. Windows Remote Access Services
   
4. Microsoft SQL Server (MSSQL)
   
5. Windows Authentication
   
6. Web Browsers
   
7. File-Sharing Applications
   
8. LSAS Exposures
   
9. Mail Client
   
10. Instant Messaging

Top Vulnerabilities to UNIX Systems:

1. BIND Domain Name System
   
2. Web Server
   
3. Authentication
   
4. Version Control Systems
   
5. Mail Transport Service
   
6. Simple Network Management Protocol (SNMP)
   
7. Open Secure Sockets Layer (SSL)
   
8. Misconfiguration of Enterprise Services NIS/NFS
   
9. Databases
   
10. Kernel

Compare that to a year ago.

Top Vulnerabilities to Windows Systems in 2003:

1. Internet Information Services (IIS)
   
2. Microsoft SQL Server (MSSQL)
   
3. Windows Authentication
   
4. Internet Explorer (IE)
   
5. Windows Remote Access Services
   
6. Microsoft Data Access Components (MDAC)
   
7. Windows Scripting Host (WSH)
   
8. Microsoft Outlook and Outlook Express
   
9. Windows Peer to Peer File Sharing (P2P)
   
10. Simple Network Management Protocol (SNMP)

Top Vulnerabilities to UNIX Systems in 2003:

1. BIND Domain Name System
   
2. Remote Procedure Calls (RPC)
   
3. Apache Web Server
   
4. General UNIX Authentication Accounts with No Passwords or Weak Passwords
   
5. Clear Text Services
   
6. Sendmail
   
7. Simple Network Management Protocol (SNMP)
   
8. Secure Shell (SSH)
   
9. Misconfiguration of Enterprise Services NIS/NFS
   
10. Open Secure Sockets Layer (SSL)

Interesting findings. On the surface much has changed. But not really. Look closely. Network attack vectors via a web server is still a paramount concern on Windows. And BIND continues to be the achilles heel on Unix. What does that really tell us though? It is always easier to breach something exposed to the masses remotely and anonymously. Is this because of secure software engineering failure, configuration failure or a failure in education. (Or a piece of each).

What I DID find insteresting was that this year, "web servers" have been clumped together. IIS always used to stand out because of the various weaknesses in it; IIS6 was a totally new design through the SD3+C methodology and its showing to be successful. Now its just en mass with Apache, and iPlanet/SunOne. Will be interesting to see a snapshot next year... I am going to guess the SD3+C push will have mitigated a lot of this as more businesses move to W2K3.

Mozilla: How to be a thorn in my side

Man, I am a BIG fan of Mozilla (well actually FireFox), but I gotta tell ya.... its been driving me bonkers for the last week.

To be honest, what is driving me bonkers is a 3rd party credit card processing agent who can't figure out WHY their stuff won't work with Mozilla. It ends up they have some load balancers that are doing some weird stuff that causes a page redirect in an order form to not work correctly. Simply hitting refresh, and it works. And of course, this doesn't occur on the test site. We only learned about this when the site went live.

The result? For over a week now the registration page for the West Coast Security Forum has been down while we wait on a fix. I was going to bypass the issue using the direct credit card processing API, but I haven't had time to look at it. And the person I contracted to look at something similar has been extremely busy and not able to get to it.

Since we can no longer wait... we decided to open it up to IE users, and redirect Mozilla users. *sigh* I hated doing that. I REALLY hated doing that. All because of a friggin load balancer that doesn't play nice with Mozilla.

Microsoft releases ASP.NET ValidatePath Module

If you recall I talked about a vulnerability in ASP.NET over the weekend. Microsoft started putting up some info a couple of days ago which I saw people talking about. There has been comments about how Microsoft is being lazy and not providing a real fix for it.

Perhaps you will now reconsider. Microsoft has just released the ASP.NET HTTP module that Web site administrators can apply to their Web server. This module will protect all ASP.NET applications against all potential canonicalization problems known to Microsoft. Apparently that includes the one over the weekend.

Bruce Schneier is blogging!

OMG. Bruce is blogging. I never knew that. Awesome! Already added to bloglines! You can get his rss feed here.

Thanks to Larry Osterman for pointing it out!

Wanna party in LA?!?

I am flying down October 15th to LA to attend a gala dinner hosted by some people from the Canadian Consulate, and will be staying until the 18th with a friend and mentor. If you want to hook up during the weekend let me know.

My agenda is flexible, but has some locked in events we will have to work around. So drop me a line at dana@vulscan.com if you want to hook up. One thing I promised myself is I would take some time while in the US to actually touch and feel a Tablet PC and see how comfortable I am with them. I have only played with Robert's, and that is not enough indication of whats out there. I am looking at the Acer TravelMate C111Ti; I can get a 1 GHz Tablet PC with a gig of ram that is only like 3 lbs and has a battery life of something like 4 hours! (And to boot its faster than my dev system now) Not sure if a Fry's or the like will have these, but I can hope.

Threat Modeling for Web Applications

Security World has released a paper on Threat Modeling for Web Applications using the STRIDE Model. If you are new to threat modeling, it has some good information.

I think this paper is a bit weak in the fact it doesn't do a good job showing how to PRACTICALLY do threat modeling end to end. Threat modeling is MORE than simply STRIDE. It starts with determining what assets of interest are there for an adversary to take (remember a threat cannot exist unless there is at least one asset of interest for an adversary). It then goes into modeling the application which includes data flow diagrams (my latest passion as part of threat modeling) and then goes into building a threat profile that allows you to classify the threats with STRIDE. Once you have classified the threats, you can finally build a threat tree to find what and how things can be mitigated.

As you can see, STRIDE is a SMALL part of that. A better resource if you want to learn about threat modeling would be to get Frank Swiderski's book on the subject. Back in August I wrote a book review about it, which you can read here.

Defeating the Windows Server 2003 Stack

I just finished reading an excellent paper by David Litchfield on "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server". What is funny is that his findings are actually an echo of those I've seen from people like Greg Hoglund who are already trampling the .data segment to defeat the canary for rootkits.

What I think makes this paper valuable isn't on talking about how to defeat the W2K3 stack, but how to protect it. The most obvious conclusion, which has been made by other developers who have looked at this, is to use VirtualProtect on the segment of .data that is holding the stack cookie. Doing so prevents an attacker from modifying the cookie and walking the stack on demand.

Anyways. Good read. Most stuff from David is. Happy reading!

Why SORBS Sucks

Alright... I've had enough.

I typically try not to slag services which I think are a great service to the industry, but I quite frankly have had enough of this now that its time I rant.

If you are using SORBS, I would like you to reconsider your options in the face of the fact that they DON'T manage their blacklist with any sort of integrity.

I speak of experience. It has now been over a month, with over 5 emails from me, and 3 from my ISP with NO response from SORBS. It has come to a point I can't even tell if they read emails, since I simply get NO response through their web mail form.

Here is the scoop. I purchased 2 static IPs from Shaw Business Internet, a local Cable company providing both residential and business Internet services. When I first got the IPs a couple of months ago I found that a lot of the people I communicate with could no longer get mail from me. Not a problem I thought, since this was a mass block of IPs that SORBS thought was dynamic.

I spoke to Shaw Tech support and they got right on it. Realizing that a new block they switched me to was considered dynamic, they submited the changes to SORBS as per their requirements. Nothing. Then they emailed. Nothing. And again. Nothing. Of course, I was ranting at the ISP throughout all this, and all they could say was that they couldn't escalate it any further until I got a response from SORBS saying they wouldn't do anything with the ISP.

After hearing enough he-said/she-said crap I fired off my own emails. First I tried the "DUHL Additions, Deletions and Enquiries" support options. Then the "SORBS User Support" channel. No go. Finally I emailed "Matthew Sullivan" who is supposed to manage all this. I know it says NOT to email him with support issues, but over the weekend I had enough and didn't know where else to go. Of course, I got no response... which isn't surprising.

So I am standing here, unable to email many of my clients and colleagues, including people I am working with at Microsoft. So... for those 'softies that are wondering why I haven't replied to your emails... thats why. Your mail server is bouncing me because you use SORBS. I couldn't even email secure@microsoft.com to report something over the weekend, and had to get Susan to do it for me.

I think this is ridiculious. There are supposed to be safeguards to protect legit IPs like mine. Yet in the face of real world experience, its far from that.

Please reconsider using SORBS. If they are STILL blocking me after amonth of trying... who else are they blocking incorrectly? You might be losing real business.

Major ASP.NET Forms Authentication Vulnerability Found

You probably haven't heard about this yet, but there is a serious ASP.NET Forms authentication vulnerability that has been reported and is starting to make its way around the Internet. I have refrained from posting about it in an effort to wait for Microsoft to handle it, but now that its creeping out to blogs, I thought I better speak up so admins get a chance to cut through the FUD and deal with the real issue.

The vulnerability was originally reported on NTBugtraq on September 14th by Toby Beaumont. I won't go into the politics of this report too much, but would like to point out a few things that bothered me about this report. First off, I am one for fair disclosure for vendors. I think Toby was wrong in blasting this on a major security mailing list without first letting Microsoft know (that is what secure@microsoft.com is all about). He even admits this at the end of the post, and I think that this is somewhat irresponsible. Secondly, I think Russ should have known better that to post it on his list (he does moderate every post after all) without giving Microsoft some time to look into this. Anyways, I could go on and whine about this forever, but will instead just accept that the information is out and move on.

Now to details about the vulnerability. The basic premise behind the bug is that a specially crafted URL string can bypass the expected authentication model invoked in .NET forms authentication. The original report discusses how by using a backslash where a front slash is expected, the parser dealing with the pathing chokes. This seems to be a problem in how System.Web.Security.FormsAuthentication uses the value provided in the variable "Context.Request.Path" to validate its internal representation of the web.config(s) Form Authentication mappings. For more information on this you can check out the research Dinis Cruz has done on this.

Now who is and is not affected? This vulnerability has been reported to work on all operating systems pre-W2K3 supporting IIS5, including W2K, SBS2000 and XPSP2. W2K3 is NOT affected since it is using IIS6. In IIS6 Microsoft rewrote the parser doing path normalization and it seems to currently be resilient to this attack vector. This means that for us up to date SBSers, we are safe since SBS 2003 is based on the same W2K3 code base... and we are using IIS6.

How can you fix this? Currently Microsoft hasn't even acknowledged the vulnerability exists. In the meantime if you are vulnerable you may wish to look at the upgrade path to W2K3 / SBS2K3. You really should be doing this anyways; the attack surface of the W2K3 server platform is considerably smaller and a lot of these issues have been addressed. If that is not feasible, you really should install URLScan and run the IIS Lockdown Wizard. Read knowledge base article 815155 to learn how to configure URLScan to protect your ASP.NET web application.

There is some code floating around the Internet from Duncan Godwin in an attempt to temporarily fix this using HttpModule and RewritePath. I would caution you in using this code. Although it DOES address the symptom, IT IS NOT THE CURE. Duncan wrote a neat hack that will check and rewrite paths if a backslash exists when it shouldn't. He even was smart enough to add a check for a UTF-8 encoded representation using %5c instead of using a backslash ('\'). However, this can simply be defeated by using double escaping representation.

One of the problems with URL encoding is the fact you can really nest double escaping pretty deep. %5c represents a backslash character. But so do these:

• %255c (%25 which is the escape for % followed by 5c)
  
• %%35%63 (The % char followed by %35, which is the escape for 5, and %63 which is the escape for c)
  
• %25%35%63 (The escapes for all three chars)
  

As you can see, the escapes can nest pretty deep. As such, Duncan's code won't actually stop the problem.

To really get around this problem, I think the only way this will be done properly is to reduce the URL string to its canonical form by using something like the Win32 API MultibyteToWideChar. This would ensure that it won't be hidden in escape nesting hell. However, I currently don't have time to write some code to address this, and will need to rely on other developers who work closer in the ASP.NET arena to do so. You will need to P/Invoke this I'm sure, but that shouldn't be too hard.

There are several people doing some more research on this that you should watch. Some of the latest information seems to be coming from Dominick Baier and can be read here. What we currently know is that the latest version of .NET did not address this, and that it continues to be vulnerable on all platforms running IIS pre-WS2K3.

fritz wrote a quick proof of concept web app which you can download and try to see if you are vulnerable. If you think you may be at risk, I suggest you check it out and see for yourself.

Good luck.

The idiocy of some People

Ok, this will be an uncharacteristic post by me. I try not to let me own personal opinions such as politics, religion etc come onto my blog as this seems to be a good resource for my readers to learn about things infosec.

But today I just heard some of the stupidest idiocy I just have to speak up.

Today I learned about a PERFECT example of stupidity in people who cannot take a joke. It came about when I heard that some of the nurses in BC decided to complain (I heard the term boycott and threat of union action from someone in the know) to Z95.3, one of the radio stations I listen to occassionally. Why? Because of this TV ad.

God forbid we think nurses are cute, can sing and dance.... especially if you have seen many of the nurses in the system... they are far from that.

People, its a TV ad for a radio station. The premise behind the ad was that great music has an infectious way of taking over. Not that you are sex slaves or what ever idiocy you can dream up in your complaint.

Let it go. Its not worth fretting over.

Anyways, Z95 voluntarily pulled the ad. So you will never see it on TV again. But you can see it here. I suggest you check it out and have a laugh before it gets pulled from there too.