Wake up Microsoft! Novell is done licking their wounds. Introducing LAMM.

The title to this post just doesn't do it justice. But I didn't know how else to put it. For the last decade I have watched Microsoft erode Novell's marketshare in the networking world. If you have been around long enough, you might remember the glory days when a CNE was a badge of honor. And when things like syscon and pconsole were just the bomb against what Windows had. Netware was the system everyone used. And then Microsoft got into networking, and Netware went by the wayside for many people.

Now adays, most people don't even look to Novell for IT solutions. Even though they continue to have a strong offering for Windows and have repositioned themselves firmly in the Linux camp. But recently I had an eye opening experience that makes me believe Novell is done licking their wounds from the workgroup networking world battle they had with Microsoft and have come out fighting in this new 'Internet'worked world.

And I don't think Microsoft is paying enough attention to it. Big mistake.

I was given an interesting Christmas present this year. My wife bought me a book entitled ".NET Web Services: Architecture and Implementation with .NET" which had me so interested I read it in two days. This is interesting because I have tried to stay away from web services for some time now as I waited for it to mature a bit. That and I have just been to busy working on kernel mode code in Windows to care. But recently that has changed with some new work that I am planning on doing.

In an effort to look objectively at building a Software as a Service (SaaS) product, I have spent some time in December looking at all the different technology solutions on the market. From Ruby on Rails to the LAMP stack to ASP.NET. And everything in between. As I started to do the math and ROI calculations on learning curves, licensing requirements and tool purchase plans I came to one realization. I like the idea of Web Services. And I like C#. But there is no way in hell a SaaS startup should go with a Microsoft solution, as it is just WAY to much money.

Robert Scoble knows this. He talked about it in his 12 reasons Web 2.0 entrepreneurs like Ross tell me that they aren’t using Microsoft’s stuff. Sam Ramji said it even better in his post on the topic when he said:

I've been working hard to develop a strong Microsoft-based offering for startups building SaaS companies, because the economics are with LAMP right now.

For those that don't know, LAMP is Linux + Apache + MySQL + PHP/Perl/Python. It seems to be the defacto standard for startups these days. Read Robert's and Sam's posts to see why. But I think Novell has an opportunity to change that... and in a big way.

Remember how I said that I like the idea of web services, and C#... but don't believe that the Microsoft Windows stack is the way to go? I really believe that. But that won't happen with LAMP. But with Novell in the picture, it could be done with LAMM.

LAMM?

Linux + Apache + MySQL + Mono.

Mono is just killer. It is an open source implementation of the .NET framework on Unix environments sponsored by Novell. And it works AWESOME. After reading up on web services I wrote my first one on a Debian Linux system in less than 20 minutes. And I was consuming the web service in both a Windows Forms stand alone app and a ASP.NET web app running on a different Linux box running Ubuntu about an hour after that. Another 30 minutes went by and I had it consumed in a web part on Sharepoint. Novell has figured how to get distributed computing working and offering a solution on a well tested stack (Linux + Apache + MySQL) that startups can use NOW.

This has a lot of appeal to me. It means SaaS startups can start with the LAMM stack, and then decide later to move to a Windows stack WITHOUT ANY CODE MODIFICATION to the web service (if written correctly to NOT use platform specific classes). It allows for really interesting scaling as a SaaS grows. It can decide to stay on Linux, move to Windows (or Solaris or OSX for that matter) or use a combination of any of those solutions as the infrastructure grows.

For Web 2.0 companies this open a whole new set of possibilities. It means you can still leverage some of the great architecture of the .NET framework without having to invest a lot of money on the initial deployment. And if you decide down the road that you made the wrong selection on the stack you chose... you simply move to the one you like without having to make any major changes to the underlying code. You can't do that with LAMP.

Wake up Microsoft. Novell's support for LAMM may just let them steal back some of the marketshare you took. I know they sold me. I won't be paying for another Windows server for this SaaS project. I am going with LAMM.

Are you WMF'd to death yet?

Wondering why you haven't seen any feedback from me on the most recent 0-day exploit on Windows, which takes advantage of a vulnerability in the graphics rendering engine? I took a vacation away from the computer for a few days to catch up on some technical reading, and come back to a plethora of information that pretty much sums up anything I would say. In a blog post in the next few days, I will post just WHAT I was reading, as its pretty interesting. I'm shaking my head as I absorb some of this new stuff.

Anyways, as a summary of the past few days where the world has been screaming that the sky is falling, here is the nitty gritty that matters (at least from my POV)

• Before you do anything, go read the Microsoft Security Advisory (MSA 912840) on the matter.
  
• According to guys over at Sunbelt, Microsoft may be incorrectly stating that software DEP will help mitigate against this threat. Seems that hardware DEP works, software DEP from Microsoft does not. No one has reported if some of the other software DEP agents defend against this attack or not.
  
• Susan has a great post on how to filter out WMF attachments on Exchange.
  
• Jesper has an excellent post on how to block certain extensions with ISA. Even when he goes on holidays he has time to play with ISA :)
  
• The easiest fix (temporarily) is to unregister the vulnerable code, using "REGSVR32 /U SHIMGVW.DLL" (without the quotes of course) from Start->Run
  

I disagree with Susan that it is too drastic to unregister the DLL. It's quite trival a fix to signficantly mitigate against this threat without impacting the rest of the system. So you don't get pretty thumbnails. But you do prevent the exploit through this attack vector (I will point out it won't stop against someone opening an exploited WMF in MS Paint etc). And with the ability to push this out to all the desktops pretty quickly with a script... it takes no time to toggle it on/off. YMMV of course.

That's pretty much all you will hear from me on the WMF issue for now. You can read the other 1,000,000 blog posts about it for more information.

Happy Holidays!

Hey gang. I just wanted to let everyone know that I appreciate your thoughts and wisdom shown in your emails and the rare comment on my blog. Thanks for making this year both enjoyable and educational. I wish you a happy holiday and a joyous New Year.

May 2006 find you happy, safe and secure. All my best wishes,

Dana

Review of 12 Weeks with Geeks

So Joel finally got his DVD out to me and I had a chance to watch Aardvark'd: 12 Weeks with Geeks last weekend.

I don't have much to report. As a "film" it was well done. (aka: production quality was good). It was interesting watching the 12 weeks progress. Unfortunately, I totally missed the boat on what the content was when I ordered it. I thought it would show the 'Joel on Software' development and testing process for Copilot.com. Although it contained bits, it was more a documentary of the geeks... not the work flow process. Of course, reading the title of the damn DVD should have told you that. *sigh*

I wasn't bored, but I wasn't engaged either. Maybe if I was a 20 something geek again, I might have enjoyed it more. However, it was an amusing approach that showed what its like for an intern to work at a software company these days. And it will probably be a pretty good marketing/recruitment piece for Fog Creek Software.

To be honest, I hoped for more, judging from the fact Joel has interesting stuff I like to read. But that shouldn't distract from the fact that this is a good piece of documentary with a clear storyline. If you are interested in the physics of jumping between buildings, how to grow tomatos in New York and occasionally how to develop and test software, its worth the $20 bucks and an hour of your time.

OCT 31 = DEC 25... 'Merry Treat!'

I just realized something. As someone who understands the bowels of computers I understand the difference between decimal and octal. But I never imagined that it had scary 'inner meanings'.

Consider this:

• Both Halloween and Xmas has weird people dressing up. Be it ghosts and goblins or santa suits and elfs. Adults look just as ridiculious.
  
• Both holidays require adults to go out and buy gifts, and pretty, colourful lights. (Of course on Halloween those lights blow up in the sky!)
  
• Both holidays require you to HIDE the gifts until the last possible moment, so not to spoil the surprise. That and prevent dad from playing with or eating the gifts.
  
• Both holidays have you wishing it was already over half way through the night. And then when done, wonder where the time went!
  
• Both holidays have kids begging that there is no coal in their stocking/sack
  
• Both holidays have annoyingly happy kids running around on sugar highs

Scary, isn't it? So when the next kid comes to the door, say 'Merry Treat' while holding a sickle and a bowl of candied egg-nog while you wear a ghouls mask with a Santa's hat. No one will know the difference. Except 'Olive' the other reindeer (aka: Fluffy with antlers), that used to laugh and call you names.

Happy holidays.

Useful registry hack to "Run As" MSI packages

Oh man what a find today! I noticed a post on Michael Willer's blog where he shows how to tweak the registry so you can finally right click and "Run As" MSI packages when you are running with least privilege in Windows.

1. Run regedit.exe under an account with administrative privileges
   
2. Create the key HKEY_CLASSES_ROOT\Msi.Package\shell\runas\
   
3. Set the default value to Install &as...
   
4. Create the key HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command\
   
5. Set the default value to msiexec /i "%1"

This is uber kewl. It drives me nuts when I download an MSI and can't simply right-click and Run-As to install. Thanks for the tip Michael!

Interested in a job as Security Vulnerability Engineer?

Recently I was contacted for an opportunity to interview for a position as a Security Vulnerability Engineer for a company in McLean, Virginia. As this specific opportunity was not of interest to me at this time, I thought I might pass it on to the information security professionals out there that might have an interest, and read my blog regularly.

I don't know much about the position past the information in the posting, nor do I even know the actual company that is looking for the engineer. However, if you believe you are qualified feel free to contact Carlos directly at cfernandez(at)dncnow.com or by calling him at 703-538-2596 x 9102.

You can read the details for the job posting of a Security Vulnerability Engineer here.

Good luck.

Circumventing Group Policy as a Limited User

Remember when I blogged how "10 registry settings will NOT Harden your WIndows XP box"? If you recall, one of the points I made was that it was very easy to get around things like "RestrictRun" and Software Restriction Policies (SRP) if you can execute any arbitrary code. I went further to say that because no effort goes into checking the validity or path of the executable, it was easy to bypass.

Mark Russinovich has an EXCELLENT post that takes this further. In his technique he uses DLL injection techniques described by Jeff Richter in Programming Applications for Microsoft Windows (Microsoft Press) to load a DLL into all the processes on the system to which the user running it has access. In this way, its possible to bypass the security checks that take place with SRP without even caring about the path. He basically hooks the registry and returns a failure when trying to access the said keys. Brilliant technique. And Mark even wrote a simple application called Gpdisable that shows this in action.

Everyone should take some time to read his entry and see his step by step account of how this works, including screenshots showing how Mark uses his own Regmon and Process Explorer tools to diagnose this.

Great job Mark.

Bidding on 0 day Excel vulnerabilties on eBay

What is this world coming to? On the Full Disclosure list there was a report with a link to an ebay item in which an attacker was selling a 0 day vulnerability for Excel. 19 bids occurred before eBay finally pulled it. You can see a screenshot here that was taken before eBay got a hold of it.

What gets me was that the seller on eBay acknowledged that he reported the vulnerability to Microsoft a few days eariler, but that now, and I quote:

It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).

Is this guy nuts? Oh... and my favorite part:

It is up to you what to do with it, but you may not use it for malicious purposes - see terms and conditions below.

Ya right. Like that was gonna happen if this auction actually occurred. And then of course trying to absolve himself from responsibility, the terms include the fact he cannot be held liable under any circumstances. Dude, I doubt that will hold up in court.

The special offer was sort of funny:

"Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.

I thought he said he reported it already to Microsoft on December 8th?

Anyways, worth a laugh, a groan and finally a sigh. This world is full of nut jobs.

Wanna see how easy it is to compromise an unpatched Windows Server?

Whoppix has done it again. As recorded by the attacker, have a look at how easy it is to compromise a Windows 2000 server with an unpatched IIS5 implementation. Before you go and say "but Windows Server and IIS6 are out", remember that so many people are still on Windows 2000. And that so many people are hanging these things after a default installation on the Internet.

If you wondered why I use Knoppix-STD for a lot of my pentest stuff, this is why. Check out the Whoppix video showing the attack using such tools. In this particular case, the attacker tunnels exploits through SSH (plink.exe) that is thrown up on the compromised Windows server.

Security by Obscurity ALONE is NOT Enough: How 10 registry settings will NOT Harden your WIndows XP box

Today I was informed of a new paper by Debra Shinder on 10 Registry Hacks for hardening Windows XP security. Now, I have read and enjoyed other pieces of work from Debra over at WindowsSecurity.com, but this one just doesn't cut it for me. I think a lot of information is missing in this paper that quite frankly, isn't really hardening XP security at all.

First a foremost, if you are going to write a paper on registry tweaks to increase the security effectiveness of Windows XP, you REALLY need to explain the benefits and drawbacks of the change. Risks need to be clearly identified from the perspective of a threat model. Simply making a change and not understanding the real underlying impact could be dangereous in any organization.

Secondly, a lot of these "security hardening" tips can easily be circumvented. As an example, in #3 where she explains that you can use the RestrictRun to limit what a user can run, you create a false sense of security stating that they can only run what is in the list. Here is a quick way to bypass this security setting. It only checks the the list by name, finding the first instance in the environment path when executed. This means that if you have access to Explorer or even Internet Explorer, you can simply rename whatever you want to execute to its name, and then be done with it. What would I do? If they allowed msword.exe to run I would copy regedit.exe to msword.exe and place it in a dir at the beginning of the PATH environment variable. Guess what? I simply run "msword.exe" and then go into this registry key and turn off this setting. Why does this work? Because no effort goes into checking the validity or path of the executable. It does it simply by name. It is possible to lock down run execution on a system, but it takes more than simply making this change.

But then again, if you recall I always state that security is about risk mitigation, not risk avoidance. As part of a plethora of other configuration changes, it is possible to control how a user uses the system. RestrictUser can be very effective when bundled with group policy and strict ACLs that prevent such actions. Everything needs to be weighed accordingly. But simply making this change is not enough.

Some settings that Debra suggests sound good in theory, but aren't so good in practice. Consider the recommendation to flush the pagefile.sys on shutdown. Great idea in theory. The pagefile holds plenty of juicy bits of privileged information that can easily be extracted with the right tools. But the benefits of this setting are simply outweighed by the drawbacks. What do I mean? Well consider this. First off, what this prevents is people seeing information from memory on the harddrive. But its only useful for inactive harddrives after shutdown. This means that the attacker would have had to have PHYSICAL access to the box to steal it. So other security measures should already be in place to prevent that. Oh, and any good computer forensic auditor will tell you that the first thing you do when seizing a machine is pull the plug on machine, keeping the pagefile intact on the harddrive. The setting does NOTHING to prevent that.

Now you might be saying to yourself... ya but what about laptops? Well first off, the pagefile only gets wiped on shutdown, and most people suspend or hibernate their machines. Secondly, as Susan so elequantly stated to me, "this is a career limiting move" since if you tried to have your CEO accept this practice, he's gonna think about firing you. Why? These days with the amount of memory in the machines, it takes an AWEFULLY long time to write out the page file. In many cases you might just have to pull the battery on the puppy. Remember, executives are running around all day. The last thing they need to do is sit and wait for their laptops to shut down.

Another thing to look at is the fact that of the 10 registry tweaks, Debra uses 4 of them in HKEY_CURRENT_USER. This means that any security setting you try to set for the user can easily be circumvented by the user by simply running regedit.exe. And that is assuming that she is using least privilege correctly and is running all accounts as "limited users". I'm not entirely sure that she is.

Why do I say that? Because if you try to access the System properties as a limited user you will find you don't have permissions to modify the very things she says this tweak will prevent! Try it. As a "limited user", you will find that you can't do a lot. Oh, and if that doesn't convince you that this setting is pretty moot, simply open up the Run box and type "control sysdm.cpl" (without the quotes) and the System panel will come up anyways. Security by obscurity alone is not enough to make a system secure. Especially when its so trivial to get access to the very things she trying to prevent.

Her suggestion of preventing null sessions is ok. But this would be better handled in a personal firewall. Why? Because you can then audit when someone TRIES to make such a connection to the machine. It's not only important that you make good security decisions to meet corporate security policy objectives, you need to be able to audit and measure these decisions accordingly. It's a much better idea to ensure you can log access violations against your security policy through these means rather than by simply blocking them with a registry setting.

Her last recommendation to hide the Security tab is something I am completely against. First off, normal limited users typically don't have that turned on by default. And Administrators SHOULD have this on so they can see the ACLs on the system. More importantly, this is so easy to circumvent as a limited user by simply opening up an explorer window, going to the "Tools" menu, selecting "Folder Options", selecting View and then unchecking "Use Simple File Sharing".

Now to be fair, I believe that Debra's registry tweaks have merit. As part of a defense in depth posture some of these settings can indeed help when deployed correctly. However, its a far cry from actually "hardening Windows XP" from users. If this document was updated to include defining the threats that the changes mitigate against, and the risks and drawbacks of making these security changes, it might make for a much better paper.

I would recommend you go check out some of Debra's other papers over at WindowsSecurity.com. This paper is uncharacteristic of her past performance, and you might find more useful information there.

YMMV.