Tuesday, August 22, 2006

Censorship and Common Sense in Security

Recently I posted a vulnerability to bugtraq@securityfocus.com which is a public board for the open discussion of security issues. I reposted the message a week later and again a few days after that. Finally several days later I received an email saying that the moderator hasn't taken action on my post. I finally resolved to notify a moderator only to find out that there are many and their information is not readily apparent even in the "you've been rejected" email. So I posted a message that was sure to get a reaction. The response came in less than 2 minutes. This is a far cry from the previous posts that took more than 24 hours to be included.

So now that I had their attention the moderator began debating. He argued that confidentiality / privacy issues were not "security" related issues and didn't belong on the board. I was stunned. I reminded the moderator that the basic tennets of security are CIA (Confidentiality, Integrity, Availability). The moderator then responded with a two page rant about why Firefox wasn't mandated to provide confidentiality or integrity.

I am concerned about the state of flaw disclosure in the computer security world. It appears that moderators favor some products and post the most inconsequential flaws for other programs. It seems a priviledged few companies get off easy while others get hammered.

I'm all for the little guy and I love Firefox which is why I hoped that publishing this vulnerability would help get it fixed more quickly. I hope that in the future, security discussion boards will post "equal opportunity" flaws. By so doing Bugtraq can help improve all products rather than to hide exploitable vulnerabilities for certain favored vendors.

David Cross

Wednesday, August 02, 2006

The 10 Immutable Laws of Security and Why There Should be 11 or maybe just 3

When talking to a Microsoft representative about a security vulnerability they will immediately ignore what you are trying to tell them and point you to the 10 immutable laws of security. (This is so they have fewer items on their plate to fix hoping that you will get tired of trying to talk to them and go away.) David Cross from Trust Security Consulting tried to talk to MS about an issue which would allow an attacker to disable all protective software anti-virus, firewalls, anti-spyware and basically open the door wide to create a communication channel back to the hacker's computer or to another computer on the net. The official answer from a security guru at Microsoft was read the 10 immutable laws of security and don't bother writing back.

Let me sum up the 10 immutable laws of security that Microsoft forwards to people who are trying to help them...
1) if someone puts a file on your computer then it's not your computer any more
2) if blah, blah blah, it's not your computer anymore
3) if blah blah blah, it's not your computer anymore
... (keep repeating the same stuff over and over)
10) technology is not a panacea

So in summary all the blah-blah's basically say the same thing if you put ANYTHING on your computer it's not your computer any more. Let's not overcomplicate Microsoft's little world for a moment and breathe a breath of fresh air and have a little Irish Spring Soap commercial moment where all the software on our computer is Microsoft software and we are blissfully happy with nary a care in the world.

Ok, now that we have achieved momentary ignorance let's take a look at reality. (Sorry) There are software developers other than Microsoft! "What!?" you say, as you are snapped back into a cruel reality where monopolies don't promise everlasting visions of waterfalls and lilting Irish accents. Then you take a quick look at your start menu. There are probably 40 or more installed pieces of software installed on your system that are not owned by our friend the billionaire philanthropist. Stranger still is that many of these were put on by the manufacturer. Wow! So according to Microsoft's 10 LAWS they and we have already broken what 9 of them? Shame on us! If computers need 3rd party software to do what we want them to then why should we allow that to mean our computers are already compromised?

So what's the big deal? So are we to accept that our computers are compromised at this point? Hmmm. That would be the assumption, but then again we are smart users and have installed Microsoft's, or heaven forbid, some other brand of anti-virus, anti-spyware and firewall software! We are forward thinkers afterall and are concerned about the safety of our data. Now we are assured by each of these non monopoly companies that their software stops hackers dead in their tracks. Now we bump into the rule #10 in the immutable laws. Technology is not a cure all. True enough however application level firewalls are surprisingly robust now and incredibly effective if used properly. So we are safe!! Yay! Microsoft's little shield system tray monitor even tells us that our world is already looking rosy now that we have all the little shields showing green lights.

So why should we not expect our computer to be safe even though we have 3rd party software installed. Firewalls stop most of the common spy capabilities of even our most trusted software like the Microsoft media player which checks back with the mother ship to let them know what you are doing with it and if you are playing licensed movies. So now that our nifty firewall can stop that and stop all the other ad-ware based programs from downloading their ads and communicating back everything you are doing... Shouldn't we feel safe now? Yes!

We should feel safe. Afterall there are two types of hacking one of which Microsoft totally ignores with it's blanket "if someone puts a program on your computer then you're not safe" crap. Our computers have defenses against external threats trying to get in, and thankfully contrary to Law 10, even defenses against internal threats trying to get out.

So there are more than just remotely exploitable vulnerabilities? There is such a thing as a locally exploitable vulnerability! WoW! To quote a popular Far-Side comic where polar bears are preparing to attack an Igloo and eat the contents the one polar bear says to the other "these are hard and crunchy on the outside, soft and chewy on the inside". Hmm that reminds me of Microsoft's assumptions in the 10 laws. Basically that's what the first 9 laws say. Afterall when reporting a recent vulnerability that can shut down anti-virus AND firewall software AND anti-spyware software with one simple function call I was immediately referred to the 10 Laws and told that they were not interested unless the exploit was a remote exploit.

So their solution is making the outside harder and crunchier but the inside still should be soft and chewy? Hmmm.

What if security was treated like at the Louvre where it's incredibly hard to get in and once you steal a painting it's impossible to get out? Wouldn't that be cool? Isn't that how it's supposed to be?

So really, there should be a concept even in Microsoft's vocabulary of security from outside-in AND inside-out. The point at which bad software can't get in and bad software can't get out is when I'll be dreaming in Irish Spring style commercials complete with the waterfalls, fresh clean scents, and maybe a cute girl with a Scottish accent instead of Irish.

Tuesday, July 25, 2006

Blogger Screen Saver

Just for kicks the other day I made a screen saver using .NET that reads RSS blog feeds and shows snippets from them while rotating through pictures you have set in a directory on your computer.

The downside I guess is that you need the .NET 2.0 framework if you don't have it already.

I'll post it shortly and let you check it out. You can keep tabs on a buddy's blog or keep tabs on your own blog.

Monday, July 10, 2006

Of Blogger snarfs and hacks

I built the template for this blog from the Blogger login page. Don't worry it's not stealing anything... it could be, but that's beside the point. It's kinda fun for a different look. This nifty capability is just one of the things that makes Blogger.com a little less secure than say... the DOD.

If you are interested in the template I'll forward it to you if you can in return point me to some cool new template hack or interesting web site or if you can tell me of someone on the board who is being hacked I'll pass it along to the big guys upstairs.

Pop in a fake username and password in the login area at the top and voila... it's been snarfed.

I won't tell you about the other CSS's I found in Blogger. By the last report they had fixed two of the three. (Thanks to Chris at Google who is guru and a nice guy to boot!)


Friday, July 07, 2006

And you thought it couldn't be done

I'm a computer security guy who's too busy for words. There are so many things happening right now as far as cool hacks out there. Of course I feel compelled to learn as many of them as possible.

Not long ago I reported a few issues to Google regarding Blogger.com. Some of the features that make the system really cool also make it easy to pilfer passwords and stuff so beware if you are on someone's blog and suddenly it asks you to sign in again. That's a sure sign that someone is trying to snarf your password.

I am working for a small company right now but I maintain a web site that has cool security shareware on it that I've written. There's something there for every web tinkerer from programs that let you test web sites without using a browser incase you're examining sites with active vulnerabilities on them. I've also got a program on there that stops about 70% of active hacks out there for IE and allows you to blacklist sites you don't care to ever be bothered by again like adverts / smam sites or sites you know are up to no good. There are also programs to help you snarf web content including text and screen shots. Anyway if you care... take a look and see what you can pick up there for free.

My site is: http://www.trustsecurityconsulting.com