Thursday, 30 September 2010

Security Digest #13

This month's highlight: Copyright! Srsly! And versatility too.


The Microsoft Security Development Lifecycle team announced last month that all of the SDL documentation publicly released to date, and other SDL process content presently available to the development community, would become so under a Creative Commons licence.

Here is the specific licence chosen by the MS SDL team. Basically, you can do just about anything with any and all of the resources in the Security Development Lifecycle, except sell them.

Bravo, MS-SDL! Although you probably don't realise how much of my recent work you've obsoleted with this (nonetheless extremely welcome) move. Now I can just replace my own carefully edited SDL guidelines with your originals. Cheers for that.

Antivirus Versus Versatility

Via: ZDNet, others.

In what Kaspersky Lab's Ryan Naraine called "a startling disclosure", Microsoft revealed that four separate zero-day security vulnerabilities, two of which remained unpatched at the time of writing, were exploited by the hackers behind the recent Stuxnet worm attack. Affected systems were brought under the complete control of the attacker, through the exploitation of two, still unpatched, Elevation of Privilege vulnerabilities, by the sophisticated malware.

During the process of patch creation, as well as its preceding research phase, Microsoft worked closely with Kaspersky Lab, who discovered two of the three new zero-day exploits. Initially, Microsoft say, the old Conficker attack vector (vulnerability MS08-067, from October 2008) was targeted; this was backed up by the deployment of a Print Spooler Service zero-day, and a new Windows shortcut (LNK) defect.

Ongoing International Sabotage

This type of combination of attack vectors is rare and likely to remain so. Although the tools to automate it are starting to appear, many experts and researchers believe Stuxnet to be the work of a wealthy nation state, designed ultimately to attack supervisory control and data acquisition (SCADA) systems. More specifically, it appears to be aimed at certain Siemens Simatic SCADA system software, like that used in Iranian nuclear facilities, where more than half the infected sites are found.

With continuing speculation of an Israeli cyberstrike against Iran's burgeoning nuclear programme, and the latter country's recent pleas for outside help fighting the sustained and worsening attacks on its most important military and industrial centres, it's clear this story hasn't yet run its full course.

Google Malware

The Google Code project is Google's official developer site, a fantastic repository-style resource featuring APIs, developer tools and various other technical kit. Including, as the media discovered just this month, the facilities to host and distribute several kinds of malicious Web-based code.

The publication of that already widely known fact (see: Zscaler, cnet/McAfee) to a wider audience was what prompted Websense to look more closely at what's on offer there. One juicy offering they discovered was r57shell, a notorious PHP-based Web console, which has been on open display in Google's window since November 2007. Websense points out that...
This variant was developed by the black-hat community and is also known to be backdoored, which means that some versions are planted with backdoor code, so users of this software themselves are exposed to an attack.
The report, The Ultimate BlackHat Tool Kit hosted by Google Code, includes screenshots of the r57shell source code, which should be of considerable utility to the budding anarchists among you.

Interesting times, Mister Bond.

Monday, 20 September 2010

Twenty Questions

Attacking an Oracle

The biggest and loudest exploit of recent times has to be that ASP.NET crypto vulnerability.

Publicly disclosed at a security conference (ekoparty in Argentina) on the evening of Friday 17th September, it seems to have been reported and commented on at every visible blog to date. So, here's another couple more comments about it!

Microsoft immediately attested to the seriousness of the vulnerability by issuing Security Advisory 2416728: "Vulnerability in ASP.NET Could Allow Information Disclosure", showing that it affects all versions of ASP.NET. Soon after, Scott Guthrie provided a short background description of cryptographic oracles, including padding oracles, which is what this particular ASP.NET vulnerability turns out to be. Ask it a question, by means of sending the web server some cipher text; and it will answer, selecting from its extensive collection of error codes.

Patience and Perseverance

These oracle attacks are very subtle by their nature. But keep watching these responses, and soon you'll be able to decrypt the rest of the cipher text.

One of the main lessons here is the same as that for last month's quantum crypto hack: practical implementations can easily nullify the effectiveness of even the very best and most secure theoretical edifice. It takes a huge amount of effort to build your own secure systems from scratch. But by the same token, so to speak: whenever possible you should use the established secure systems provided by others, the main players in the field.

For even when as here, they go wrong, you can be assured of two things:
  1. An immediate workaround (in this case, overriding all of your server's error codes meantime with a single one - but do go to Scott's post and follow the remedy exactly without trying to simplify it - oracle-type attacks seep like water through the cracks!
  2. Thorough investigations toward a resolution, e.g. via the Microsoft Active Protections Program (MAPP), and visibility through the Common Vulnerabilities and Exposures database (CVE).
Remember: apply Scott's fix literally, comprehensively and completely.

Wednesday, 15 September 2010

Bacchus Out Of Liverpool

What Ever Good Has Come?

Take music, for example. Has Liverpool ever produced a quartet of young, long haired musicians, tuned to the popular scene and groove and rut, taking the genre of the zeitgeist of their time, and running hard and fast with it, rewriting it, redefining it? Then matured and developed their creativity and technical excellence in their separate, individual ways? Ever enjoyed international success and fandom, created endlessly in the studio, woven orchestral arrangements into their highly contemporary compositions? Lost the brashness of their younger songwriting and performing sensibilities and selves? Had a member's female relative provide vocals?

Well yes, actually. Liverpool has in fact delivered such a band, and they are the originally doom metal progsters, lately post-prog poets, Anathema.

I recently bought Angry Metal Guy a pitcher of beer, for having introduced me to this band. Yeah, of course I'd already heard of them: they'd toured with Porcupine Tree, for fox ache, although we'd never arrived in time to catch their act. I also knew Steven Wilson had mixed their latest album, the one with the WWI trenchsong-inspired, philosophical handle, We're Here Because We're Here (repeat ad infinitum, to Auld Lang Syne). But there seem to be so few new albums that aren't mixed or otherwise caressed by SW nowadays! And there's nothing like good old fashioned word-of-mouth, or a favourable and well-written review, to turn you on to a new band, unheard and sight unseen.

Today's Anathema are significantly bigger than a quartet, and their most recent concert DVD, 2006's A Moment In Time, sees them sharing the stage with another such, the Bacchus String of that ilk. We're Here... is the band's first all-new studio release for seven years, and while I'm obviously not the newbie best placed to compare it to their back catalog, I'd have to express my frank disbelief that this so beautifully intricate, original and masterly album, plays - in the view of many a longtime fan - a resolutely second fiddle to certain named earlier works, viz. Judgement and A Fine Day To Exit. I have still to discover those, but now I can't wait.

These are some marvellous songs of beauty, light and melancholy. Their compositional style occasionally echoes Sigur Rós or Radiohead, working repetitive themes and simple figures into great structures with emotion and resolution, while their overall timbre evokes none so readily as Pink Floyd. The passages of female vocals provided by (drummer John's sister) Lee Douglas have a particularly forlorn beauty, whilst another (male) spoken word section is guaranteed to hold you spellbound. Elsewhere heavy, progressive, 8-minute epics lie in wait saying: Anathema mean business.

Let's leave the penultimate word to the inimitable Angry Metal Guy: "A music of Zen one could say. In fact, there is a hippiesque patchouli stank to this album that is so strong I have to plug my ear-nose™."

Well done Liverpool, always knew you'd come up with the goods eventually.

Monday, 13 September 2010

Password Reuse

...And What To Do Next?

Today's XKCD cartoon covers multiple issues.

Some of these are related to computer security, and to password issues in particular, while others (especially in the punchline) are not.

Click through to enjoy the whole page, and then just for fun, answer these two questions:

(1) What would you do with that much power? - And remember to be honest with yourself, this isn't a psychometric exam!

(2) What can you do today, in terms of the way that you manage your online identity and transactions, to prevent the puppetmasters, the guys in the black hats, from ever getting that much power over you?

Wednesday, 8 September 2010

Phys. Ed.

Keeping It Current

Li'l Neph was over last weekend, looking for some more physics tutoring. He's moved on to the "Movement" module, which is some fairly basic stuff about speeds and accelerations, forces, masses, weights, friction, and a lotta balls (golf, tennis, football and cricket feature prominently). It's the third time I've been over this module with him, and he seems to have quite a good grip on the material. [Update, Sep 13: pass!]

So far I've resisted the urge to demonstrate principles of statics by pushing him around, or hanging heavy weights off of him. On the other hand, during a previous "Electronics" module, I did indulge in a little bit of practical demonstration fun. In the middle of our treatment of Ohm's Law, I was suddenly grasped by some phantom teacher's inspiration, ran upstairs, and grabbed my multimeter and a spare, tungsten filament light bulb. We used our knowledge of the mains voltage and the bulb's power rating, to make a prediction of the filament's resistance:
R = V2/P = (240V)2/60W = 960Ω.
Of course, when we then measured the bulb's resistance using my (t)rusty multimeter, it turned out instead to be closer to 100Ω, some order of magnitude too low, and I gave my student a puzzled look. In response, a peculiar expression, a surprising combination of embarrassment and sympathy, flashed across his face, as he began searching for some excuse to exonerate his doddery old uncle...

The ensuing conversation was certainly a rewarding enough outcome from our little empirical investigation. We spoke about the variability of resistance with temperature in a hot filament, and the related issue of catastrophic bulb failure due to asynchronously switched cold surge currents. Also about technological obsolescence: how lucky I'd been to even find an incandescent bulb in the house! That led to a useful diversion, concerning how much of his textbook was, for an educational resource, irredeemably out of date. I mean, fax machines? CRT televisions? FM radio? Telephone dials?

But his look of sympathetic embarrassment, that's the one part of the lesson that I won't be forgetting about in a hurry!

Friday, 3 September 2010

This Is Your Alarm Call

I Don't Believe It!

We are registered with the Telephone Preference Service (TPS), which probably reduces cold calling, but has never quite seemed to stop it. Normally I just ask callers to repeat their identification details, then inform them of our TPS status, and the sizes of the fines involved, before bidding them good evening.

But last night's call was a classic of its kind. As always, Caller ID showed the calling number "Withheld", but I answered anyway. A woman's voice began, "Hello Mr Kerr, I'm calling from the Home Research Group. We have been given four free home alarm systems, courtesy of [company name], and you have been selected to receive one. Can you confirm your address for us? Would you be interested in a free home alarm system?" And as I asked for her to repeat the names of the parties involved, she continued to ask, "Do you have a home alarm system?"

I said, "I'd prefer not to discuss my home security provisions with you, if that's all right."

"Oh, I see. Is it something that you might be interested in?"

Aha! Suddenly it transformed into a sales call after all. At this point, I was on the verge of asking the caller for her own home address and phone number, and whether or not she had installed a house alarm. Instead I just repeated, "Actually I'd rather not discuss my home security arrangements with you."

"Oh, okay then. So I'll just pass it on?"

"Good idea. You do that. Bye."

Some days I think I'm indistinguishable from my dad.

Update, 9 Oct: they phoned again, this time a guy... so, as soon as he'd confirmed my residential details and asked if I had a home alarm system, I demanded to know his full name and home address, type of property, and whether or not he currently has a home alarm system.

- "Why would you want to know that, sir?"
- "Well exactly, why on Earth would I want to give out that kind of information to a complete stranger?"
- "But I have identified myself to you, sir."
- "Then why is your telephone number withheld?"

Today I finally did report them to TPS; they should expect a five-figure fine. And just in case you think that's harsh treatment of someone just trying to make a living out of a boiler room telemarketing job, please note that this is the company I'm talking about.

Picture taken at Vendsyssel Historiske Museum in Hjørring, Denmark © 2004 by Tomasz Sienicki

Wednesday, 1 September 2010

Tweets - August 2010