Category Archives: security

adobe, microsoft, security, vista

Microsoft’s Misunderstood Misunderstandings

Microsoft has revised its document describing Five Misunderstood features in Windows Vista.

I’m not going to analyse the revisions, as others have done that, though I will mention in passing that Adobe Acrobat’s Compare Documents feature does a nice job of showing the revisions:

 

However, I would like to highlight this comment to Steven Poole’s post, from Microsoft’s Brandon Paddock:

Those changes were made because the original article was written without the involvement of the engineering teams and so it contained a great deal of inaccuracy.

Quite a confession.

The trouble is, even fixing inaccuracies doesn’t rescue the document from its faulty presumption that Vista’s poor public image is all down to misunderstandings. That ain’t straight talking. That’s spin.

The irony is that some features of Vista are misunderstood – UAC especially. Here’s some real straight talking on the subject, from Marc Russinovitch:

The bottom line is that elevations were introduced as a convenience that encourages users who want to access administrative rights to run with standard user rights by default. Users wanting the guarantees of a security boundary can trade off convenience by using a standard user account for daily tasks and Fast User Switching (FUS) to a dedicated administrator account to perform administrative operations. On the other hand, users who want to forgo security in favor of convenience can disable UAC on a system in the User Accounts dialog in the Control Panel, but should be aware that this also disables Protected Mode for Internet Explorer.

Perfect.

Technorati tags: , , , ,

google, security, web authoring

Google Gears support in WordPress – is this the road to plug-in hell?

Interesting to see Gears support in WordPress 2.6:

The patch adds all static files used in the admin interface to a single offline storage. That speeds up page loading a lot, as it serves virtually all requests for static files from the computer’s HD instead of the network. So instead of 50-60 requests to the server on some pages, there are only 2-3.

Very simple, very effective. A user blogs the experience here.

So is Gears taking off? Maybe. There’s Zoho; there’s Google itself, there’s MySpace, which uses Gears for searching and sorting messages. Note that Gears is still in beta; it’s curious that major sites are willing to use it in that state, but that’s the Internet for you.

I have reservations about Gears. There’s the security angle. More seriously, there’s the question about whether this is the right way to extend the browser. Google is doing its own thing; so is Yahoo with BrowserPlus; so is Adobe with Flash, and Microsoft with Silverlight. All of them swear that they love browser standards, and in some cases (like local storage) there may be consolidation towards a standard API – see here for a good discussion – but there is real danger of plug-in hell.

Security is bound to be an issue as well, since the more browsers and their plug-ins interact with the client (which is the purpose of these extensions), the more potential there is for compromising the client.

internet, linux, open source, security

More on Debian’s OpenSSL bungle

2 Comments

I reported on this in the Guardian. Interesting piece to research. First, the history. You can find the exchange between Karl Roeckx and Ulf Möller here. An unfortunate mistake; I make mistakes too (it was my fault that a name was misspelt in the Guardian piece, for example), so rather than heap blame on individuals I suggest this is more about a problem with the process; the only people making significant changes to the source code of such an critical library should be the committers responsible for that library. No doubt the incident is prompting a review of the process for updating Debian, Ubuntu and other distros; perhaps we will end up with a slower but less vulnerable flow of updates.

Second, a remark from Tim Callan at Verisign which there was not room for in this piece. I asked him whether Verisign knows which of the certificates it has issued are bad. “Unfortunately we don’t have those key pairs to look at them and scan them and tell which ones are good and which ones are not,” he told me. All Verisign can do is to ask its customers to check, which Callan says it is doing “very very aggressively.” In mitigation, Verisign does have a record of what operating system was used to purchase the certificate, but this is not the same thing; it is an imperfect process. The only fix is to revoke and replace the bad ones, which the company is offering to do for free.

Third, there are two distinct risks here. First, weak SSL certificates. Versign is embarrassed because it has been issuing weak certificates; its core product has been undermined. However, according to Netcraft, of the 870,000 secure web servers on the Internet, only 20,000 report themselves as Debian and 4,000 as Ubuntu. The true figure will be somewhat more than that, but that is a relatively small proportion; and exploiting the weakness takes a bit of effort.

The second problem is the possibility of intercepting or cracking SSH tunnels used to administer affected servers. We saw this demonstrated at a hacking briefing run by NCC Group yesterday. Let’s assume that administrators use SSH authenticated with a private key – a common scenario – and that the key was generated by the faulty Open SSL library. I suspect this will have been true for many more than 20,000 servers, though a lot will now have been fixed. All you need to do is to run a script against that server armed with a list of the possible keys – under a thousand, according to the demo we saw*. When you get a hit, you can connect to that server, most likely with full root permissions.

The most hardened servers will not be so easy to crack. They will authenticate as a user with limited rights, and use su to elevate. They will limit access to specific IP addresses. They will use additional passphrases. And they will have changed the keys within hours of the problem being discovered.

Still, there are plenty of less secure servers out there, so what that means is that an unknown number of servers will have been compromised, and more will follow. If you are lucky, the intruders will hack your website and do obvious damage so the server will get cleaned up. If you are unlucky, the intruder will be discreet and quietly start stealing credit card numbers, or taking advantage of any information or privileges obtained to get access to additional servers or data, or make occasional use of the server in botnet attacks. Who knows?

Servers getting rooted is not a new problem; and it’s not yet clear whether this incident is more than a ripple. Colin Phipps at Netcraft doesn’t think it is. “We’ll see a lot of panicked system administrators,” he told me, “and we’ll see a lot of scepticism about open source.” That last point is probably the most significant.

*I’m told this was artificially reduced for the demo – but there are only 32,676 keys possible private keys to brute force access. However, even using the full set of 2048-bit RSA keys NCC Group successfully broke into a system which used Debian to generate SSH keys in 20 minutes, and think it could often be done in half that time.

open source, security, web authoring

Painful Debian / Ubuntu SSL bug

2 Comments

A bug in the Debian-modified version of OpenSSL (also used by Ubuntu) means that cryptographic keys generated on Debian systems for the last couple of years may be insecure. Instead of being well randomized, they are easily guessable.

More information about the vulnerability is here; how to fix it here.

How much does this matter? The full scope has not emerged yet; but as I understand it, it affects self-generated keys. Those who purchased certificates from a third-party certificate authority are not affected, unless one of those authorities turns out to have been using the broken version which is unlikely. Even if you purchased certificates from a third-party certificate authority, you would still be affected if you generated the certificate request on a system with the broken OpenSSL library (thanks to Nico for the correction below).

This means that a large number of supposedly secure SSH connections or SSL connections to web sites and servers over the last couple of years were actually not very secure at all.

If nothing else, it shows how easy it is to be falsely reassured, to think you are secure when you are not.

It also shows the risks of modifying security code. The problem is not with OpenSSL, but with changes made by a Debian coder who thought he was fixing something when in fact he was breaking it.

This site runs on Debian and I’ve spent some time today checking it for vulnerability and regenerating keys.

Technorati tags: , , ,
internet, security, software, software development

My high risk blog reader

I posted yesterday about the report from PC Tools saying that Vista is more prone to malware than Windows 2000.

The company kindly sent me its press release on the subject and is promising more information. According to the release, the figures are based on a tool called ThreatFire, available in free and commercial editions, which by default reports threats discovered back to PC Tools for analysis and statistics. ThreatFire is a behavioural tool; that is, it does not rely on signatures of known malware, but detects suspicious behaviour.

I thought I should try this tool on my own machine. I probably count as a high-risk user, since I frequently browse the web and download and run software, sometimes unsigned software. Would ThreatFire find any malware?

It did not take long:

The application is my own custom blog reader, a simple .NET app which calls the common feed list API and renders blog posts in the WebBrowser control.

Looks like a false positive to me. Still, I poked around in the dialog. The risk level is supposedly high. The Technical Details link does not tell you any more about what the app did that was suspicious, but identifies the files I can choose to quarantine. The link that says “Learn more about this threat” does a Google search on the file name.

By the way, doing a random web search on what is potentially malware strikes me as poor practice. Here’s what online help says:

Click the Learn more about this threat link to launch a quick web search on the threat.  In most cases the result of this search provides a clear indication of how to proceed.

Ever tried searching for the name of an executable or process? The bad guys and the scammers know we do this; and you will be offered all manner of “security” products some of which are likely spyware or malware themselves. A foolish thing to encourage. Further, how will a random web search provide “a clear indication of how to proceed”? It’s the wild web, no more, no less.

My blog reader is not very famous, so in this case Google found nothing. I’m puzzled that ThreatFire doesn’t tell you more about the supposedly malicious activity, like what data was sent and where, so that the user would have more chance of judging whether this is really a dangerous app.

I guess the “threat” is now in the PC Tools database, and my machine marked as Vista with malware. I’ll be interested to see what else it finds.

Technorati tags: , ,
security, vista, windows

Is Vista more prone to malware than Windows 2000?

So says the research department of PC Tools, apparently.

I was intrigued as I’ve investigated security in Vista. I went along to the PC Tools site in search of more information. Unfortunately there is no relevant press release in the news section or other details. I did find an article on ars technica that asks the questions I wanted to ask, but no answers.

I also registered on the site as press in search of further information, and received my username and password back as a plain text email. Remarkable, for a security company.

I don’t mean to be cynical; I really am interested, but frankly stories like this are worthless without more information. I blogged three years ago about exaggerated claims made by a security company. These companies are unlikely to put out releases saying that we no longer need their products.

My question to these security folk: given that most PC users (that I see) have been scared into using their products, why have we not seen a corresponding reduction in malware infections? It is as if the industry is glad to brag about the failure of its products.

Technorati tags: , , ,
security, software development, vista, windows

Buying a Microsoft code-signing certificate from Thawte? Don’t use Vista.

5 Comments

Here’s the problem. You go along to http://www.thawte.com and ask to buy a Microsoft authenticode certificate. It’s the right thing to do; signing code is increasingly important in these days of Internet delivery of applications; and unsigned code presents the user with dire warnings that may unnerve them.

So you go to buy a certificate. The way this works is in two stages. When you apply for the certificate, you are issued with a new private key, but not the certificate itself. Thawte then does its due diligence and checks out that you really do represent the organization for which you are requesting a certificate. Finally, you can go back and download the certificate and get on with signing your apps.

This process works differently on Vista than on XP. I got this wrong when I first tried it, because it is not obvious. To begin with, you have to relax IE’s security for the thawte site – ironic, for a security operation – and make sure it is not running in protected mode. Next, the first page of the application is a big form that has the details of the organization, how you are going to pay, and so on. If you complete this on Vista, and click Submit, you get a message saying “This web site is requesting a new certificate on your behalf”:

 

You complete the application, sit back and wait. A few days later you get an email saying your certificate is ready for download. You download it; it is a file called something like mycert.spc. You can right-click and choose Install Certificate, to place it in the Windows certificate store. You can even sign code with it. Just open a Visual Studio command prompt, type:

signtool signwizard

and off you go. You can select the new certificate from your certificate store, timestamp the code (recommended), and you’re done.

So what’s the problem? Well, what if you want to sign code on a different machine than the one on which you applied for the certificate? And what if you want to back up your certificate?

Did you realise when you made the purchase that you were irretrievably hooking the certificate to the actual Vista installation which you were using for the transaction?

It is all to do with the private key. To sign code, you need the private key, which was installed into your certificate store when that first page of the application was submitted. Unfortunately it cannot be exported; it is marked as non-exportable, which means the Export feature of Vista’s Certificate Manager will not allow the private key to be exported. Thawte cannot re-issue the private key; the only solution I know of is to get the entire certificate revoked reissued (fortunately this is a free service).

This problem does not occur on Windows XP. Here is the evidence. The screenshot below shows part of the application form on Vista:

Now, here is the same part of the form on Windows XP (still IE7):

Spot the difference? An additional section appears in XP, which lets you specify where to save your private key as a file with a .pvk extension. On Vista, you don’t get that choice and you don’t get a .pvk file. Once you have both the .pvk and the .spc files, you can backup or move the certificate wherever you want, with full signing capability. You can import the the certificate plus private key into your certificate store using this tool:

http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN

which is billed as a tool for Office 2000, but works fine for this purpose.

Now, I guess this is a security feature. If you have these private key files hanging around, they are easier to steal than if they are locked into your certificate store and marked non-exportable. Fair enough, but I’d rather make that decision for myself, than have it imposed by an obscure installation process.

internet, security

MySpace account hacked

Around two years ago, I set up a MySpace account in order to try the service. I confess I hardly ever log in, and have not done so for several months. I’m sometimes reminded that I have an account by spam friend invitations, which I ignore.

Today I was puzzled to get email notifications of several spam comments on my MySpace blog. Puzzling – I have no posts on MySpace. Except I have (or did have): when I logged in, I found about a dozen blog posts and a similar number of bulletin posts made in my name. All spam. You don’t get notification of your own posts, so it was only when comments were made that I became aware of the problem. If I had any real content in the account I would be embarrassed.

I cleaned it up and changed my password, but I’m intrigued. Did a hacker (or more likely a hacker bot) guess my password, or is MySpace just easy to hack? I suspect the latter. I doubt it was a cross-site attack, since I am never logged in.

Technorati tags: , ,
google, security, web authoring

Is Google Gears safe?

3 Comments

I imagine that is the question most users will ask when they see this dialog:

There are a couple of things I don’t like about this dialog. First, the website is defined only by an URL. The problem is, it’s a plain http connection so there’s no SSL certificate involved, so I can’t easily check the identity of the site. This one is Google, so it’s not too difficult; but what if it is some other site? It is not particularly easy to verify the ownership of an URL; whois information is not reliable.

Second, what are the implications of my decision? If you click What is this, you get this page, which explains offline functionality but doesn’t mention security. It does mention that Gears is a beta – personally I think this should be up-front in the security warning dialog as well. Do you trust this beta software?

If you go to the Frequently Asked Questions, there is still no mention of security. Is nobody asking about it? This article is the closest I can see, but merely repeats the information in the original dialog, that Gears allows websites to write to my computer. Enquiring minds ask: where can they write data? Where can they read data? Could they install malware or execute code?

We could do with a link to this page, about the Gears security model. This tells me that Gears uses a same origin policy:

A web page with a particular scheme, host, and port can only access resources with the same scheme, host, and port.

It also says:

Google Gears data files are protected with the user’s operating system login credentials. Users with separate login names cannot access each other’s Google Gears data files, as enforced by the operating system.

The bit about “as enforced by the operating system” should be highlighted. If your users have local admin rights, as on some Windows boxes, they will be able to access files belonging to other users.

But is Gears safe? What if I’m taken in by a scam site and give it permission to use Gears?

It may not be too bad. Gears can’t write anywhere on my hard drive, only to a location in my local profile or home directory. It doesn’t use the browser cache, presumably because it isn’t reliable; it may get cleared. Still, I guess some sort of attack might be possible along the lines of: write an executable to my local resource store, then give me a link to click and run it. Gears could fill your home directory with stuff you do not want, of course, but that’s the explicit permission you give when you agree to let a site write to your computer.

This presumes that Gears does not have security bugs. There may be and probably are ways to mount attacks using Gears that I have not thought of.

Bottom line: Gears is probably fairly safe, provided that the site really is trustworthy, but it is a beta and the usual caveats apply. Check that URL carefully. Avoid Gears when used by smaller organizations that might not have sites well defended against malware. I still don’t like the dialog though; and I’m surprised that Google does not make it easier for users to examine the security issues.

This post is prompted by yesterday’s announcement of Offline access to Google Docs.